Cyber security in the metaverse (Part 4): identity fraud, cryptojacking and malware

Regular readers of our metaverse cybersecurity insights understand that this new immersive platform brings new and sophisticated cyber threats. Unfortunately, this trend looks set to continue as more organisations trial metaverse services. 

Many services and connections needed for the metaverse to thrive, and boom, have yet to be installed. For example, if you were to purchase a piece of digital land in Decentraland using cryptocurrency, you would not be able to tour the virtual space with a Meta avatar as the connective infrastructure between metaverses is still being ironed out. Such digital land is hosted on decentralised servers, so there is no real-world location for them. 

In fact, an open-source community of tech industry veterans have set up the Open Metaverse Interoperability Group (OMI), to ensure that users can achieve seamless “meta-traversal”. This venture is still in its infancy and a work in progress.  

Likewise, cybersecurity in the metaverse is also a work in progress … which is worrying considering the amount of business taking place in the metaverse. The metaverse’s technical cybersecurity protocols are always evolving and updating to reflect threats and risks as they are discovered. However, more work also needs to be done in relation to regulatory bodies and national laws. 

Today, we will continue our foray into metaverse cybersecurity and what moves are being made to keep organisations and users safe. 

Identity security in the metaverse 

Even before the metaverse, a user’s digital identity has been a contentious point of discussion and security. Nefarious individuals can fake a trustworthy identity via phishing emails, vishing calls or even text messages to gain access to physical and digital locations for illegal profit. With the metaverse, a far more immersive platform, cybercriminals can draft far more elaborate forms of identity theft and impersonation.  

In TelePerformance’s metaverse analysis, Jeff Schilling (Global Chief Information Security Officer), states: “The threat of social engineering will potentially be even more effective in a 3D world, where deepfakes will be prevalent and an imposter is even more capable of tricking victims.” 

So how do you protect yourself from identity mimicry on the metaverse? Schilling continues: “No matter the medium – telephone or metaverse – the best way to resist social engineering is by having a foolproof way to validate who is on the other end of the conversation.” 

As a result, you need to incorporate a variety of cybersecurity measures. Metaverse identity security looks like strong passwords, biometric logins, multi-factor authentication (MFA), end-to-end encryption and more! According to the Identity Management Institute, in 2020, the global identity protection market size sat at $12.3 billion. This total is expected to double by 2025, boosted by metaverse innovations. 

So, if your business is looking to move some parts of its day-to-day business into the metaverse, identity protection and verification must be a critical part of your security protocols. Once your employees and metaverse users feel safe and secure on your platform, you can then start to put further preventative measures in place. 

In fact, evidence shows that only 34% of companies with a forward-thinking approach to identity protection experienced a breach, whilst a greater 54% of companies with a reactive approach to cybersecurity experienced a breach (IDSA 2020 Survey). 

Cryptojacking in the metaverse 

Very well-known forms of cyberattacks are being altered and supercharged in the metaverse. An ordinary ransomware attack in the era of Web 2.0, could result in a hefty one-off ransom being paid. In the metaverse, a ransomware attack could lead to cryptojacking; here ransomware takes over a user’s system indefinitely and uses it to mine for cryptocurrencies in the background.  

Malware in the metaverse 

We teach organisations and their employees to always remain vigilant, smart, and active when operating at work. Malware links are always looking to trick you! They do this with socially engineered emails, social media posts and even compromised physical hardware. However, with the metaverse comes more smoke and more mirrors. 

Imagine, you are in a metaverse that utilises avatars and accessories. One day you receive a message with a link for free accessories or upgrades to your avatar. Because advice and verification steps have yet to be finalised on these platforms, you could fall for trojan horses hiding malicious malware. 

Legal issues in the metaverse 

So, whilst cybersecurity measures are catching up to new cyber threats, the law stumbles idly behind. For example, many countries have laws that prohibit gambling. Do these laws apply to the metaverse as well? Is there a physical location attached to this virtual landscape? In this instance, countries are widening the scope of their gambling regulations to incorporate metaverse platforms, otherwise they fear it may become a haven for gambling ventures.  

Initial steps when establishing metaverse security 

To help organisations get started with metaverse security. We have put together some ideals to follow and protocols to put in place as a solid foundation, in addition to the advice we have shared above: 

• Regular headset checks: Virtual Reality headsets used to access the metaverse can be compromised. Ensure a regular check and update reminder is sent to employees who are using VR headsets to patch out vulnerabilities and other nefarious code. 
• Consider a metaverse security lead: If your organisation is truly serious about the metaverse, you need to reflect that in your leadership structure. Having a dedicated security professional that understands the metaverse’s vulnerabilities and can provide context for investment and improvement keeps your security focused and not stretched. 
• Hotline/Reporting station: As many cyberthreats will be new to users, you will inevitably have to process an attack or a breach. Make sure you have a hotline or cyberattack reporting system in place so you can quickly intervene and suspend compromised avatars and accounts. 
• Active monitoring: If your organisation really is big in the metaverse, a sole metaverse security professional may not be enough. You may need to hire a dedicated team to process queries, monitor metaverse rooms for spies and run verification checks constantly.  
• Start with a zero-trust model: The zero-trust model – ‘never trust, always verify’ – requires strict identity checks. When a platform is so young and riddled with identity theft and mimicry, a zero-trust model should allow the platform to thrive. With the zero-trust model, you have an ongoing and persistent authentication check and identity verifier that keeps bad actors out and limits access to authorised personnel.  

In conclusion 

As adoption and user base grows, metaverse users will become high-value targets for cyber-attacks. If your organisation takes an active approach to new emerging cyber threats on the virtual platform, you can also be proactive in implementing security measures, protocols, and behaviours to counter them.  

Security developers and managers will be at the forefront of metaverse cybersecurity as they will be learning and adapting on the job to new threats and gaps in security. 

In truth, we still have a long way to go – technically, legally, and behaviourally – before we have a homogenous and secure metaverse. And even then, we must remain vigilant to even more innovative cyberthreats.

If you would like more information about how The Security Company can help deliver security awareness training, raise awareness, increase security skills, and establish a secure culture, or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.