Securing the metaverse: Innovative or futile?

Image courtesy of Julien Tromeur

Cybersecurity has always been a top concern among companies of all sizes, following the massive digital shift brought about by the pandemic, as well as the growing sophistication of cybercriminals.

But does this concern apply to security in the metaverse? As an emerging trend in business, the metaverse holds promising use cases for existing technologies. However, because of its decentralised nature, as early as now, hackers are exploiting any vulnerability they can find there.

According to Philipp Pointner, Chief of Digital Identity at Jumio, digital identity theft is among the greatest security concerns today, and is especially pervasive in the metaverse.

“The metaverse is adding new complications to digital identities. All the personal details — facial features, gestures, reflexes — individuals use to create their digital twin in the metaverse are a prime target for exploitation. With such rich data collected, scammers can access motion data, personal information, and the biometrics of an individual through AR or VR headsets to mimic individuals and initiate unwanted contact or launch social engineering attacks that trick others into sharing their bank or credit card numbers,” he remarked.

The floodgates are open

Since the gaming community is among the most present in metaverse-like virtual worlds, its enthusiasts are highly susceptible to identity theft and account takeover, as cyber thieves target accounts and e-wallets that store cryptocurrencies, NFTs, or in-game credits in the virtual world.

“There are plenty of conversations today about how information gathered in the metaverse can be monetised. For context, as little as 20 minutes of VR (virtual reality) use can generate about 2 million unique data sets on its user. This unprecedented volume of data means bad actors can get a highly accurate look into our preferences and purchase behaviours, in addition to an even richer insight into who we are in the real world, via our avatars,” Pointner explained.

With the metaverse envisioned as “the next-phase, all-encompassing version of the internet and social interaction,” the threat of identity theft is expected to rise, the executive noted.

“As we explore the metaverse as an avatar, someone impersonating our friends could phish for our login details to steal any investments made through their cryptocurrency wallet. There are already cases of this, where scammers steal metaverse ‘land’ — which is bound to investors’ digital wallets and encoded on the blockchain. This essentially serves as a deed to property — once stolen, it’s very difficult to get back,” he said.

Industry effort

A lot of questions surround the concept of the metaverse. For example, will different metaverses communicate with each other, and how? Are the communication channels secure?

Philipp Pointner, Chief of Digital Identity, Jumio. Image courtesy of Jumio.

“Can the couture we purchase in one metaverse be worn in another? If so, what are the aligning set of security standards to ensure these purchases are kept to one owner? Or, if not, how can we ensure that each separate metaverse balances security, privacy, and user convenience to advance their development?,” Pointner asked.

To solve the security issue, the executive proposed the creation of a universal standard for identity verification and security in the metaverse.

The first step towards this objective, said Pointner, is the standardisation of sharing of consumer personal data across companies operating in this virtual world.

“This still is an ambitious task, however, with no organisations leading the way. That said, those who instigate such standards will have a first-mover advantage and can outline their standards as the foremost ecosystem that can gain consumer trust,” he observed.

Since metaverse-like platforms are creating and generating entirely new data streams, which can improve authentication and detection, and even provide a new insight into cybersecurity, it is crucial for stakeholders to agree on key priorities that will enable the metaverse for future generations, Pointner noted.

“Identity, transparency, and a continued sense of unity among defenders will be key (to this end),” he said.

Likewise, international coordination of regulatory efforts is also crucial, because of the borderless nature of advanced technologies present within the metaverse.

“(This) involves industry players, real-world regulatory bodies, cybersecurity and identity verification technology providers, and others — who can come together to realise best practices,” Pointner said.

Evolution of ID verification

Despite the vision of harmonising and strengthening security controls in the metaverse, Pointner highlighted that the move should not lessen or complicate the experience for users.

Stakeholders can instead design a workflow that benefits both users and the organisation, whereby convenience is not sacrificed at the expense of minimising costs and security risks.

“There are already bank-grade identity verification technologies available that can verify that users are who they say they are, without any laborious steps. The financial services industry is already implementing modern features such as facial recognition and liveness detection, on top of ID checks — which enable them to determine the user’s physical presence behind an app — to thwart impostors, reduce fraud levels, and ensure the highest levels of identity verification. These technologies can form the foundation for verification standards in the metaverse to ensure that all transactions are secure, safe, and kept private,” the executive said.

To contribute to this end, Pointner shared that Jumio has been developing deep learning models to “dramatically” improve identity verification accuracy and speed, out of the company’s AI and machine learning labs in Montreal, Canada, and their innovation lab in San Diego, California.

“Artificial intelligence has already been productionalised to reduce the time it takes to verify an ID document or an online identity. This is helping Jumio’s customers reduce their abandonment rates and increase new account conversions while protecting them from fraud,” he shared.

Pointner also cautioned against the deployment of too many security solutions from various vendors, a phenomenon prevalent across industries during the height of the pandemic.

“It’s important to note that using multiple cybersecurity vendors may increase risk of non-compliance with KYC (know your customer) and anti-money laundering regulations, while also complicating business operations and the customer experience — something that should not be overlooked,” he clarified.

“We would expect to see increased market movements to a single, comprehensive platform that consolidates all these capabilities for identity verification, while maintaining compliance effectively. This would offer consumers a secure, seamless digital onboarding experience with even more transparency and greater flexibility,” Pointner added.

As to what lies ahead, the executive was optimistic in his observations of industry efforts to beef up enterprise security, including in the metaverse.

“With the growing rate of usage of online services, organisations are clearly implementing the robust identity verification methods required to prevent against the risks associated with virtual services. Considering the high adoption rate at the moment, we can foresee biometric identity verification methods replacing passwords in the future,” Pointner said.

“Just as how we want to feel safe in the real world or on social media, safety and security must be a given and consistent experience in the metaverse. The time is ripe for stakeholders to come together to define the standards that will support the advancement of a safe metaverse,” he concluded.