Crypto Phishers Are Exploiting Poor UX. The Industry Is Stepping Up. #CriptoNews

According to recent trends, there’s a noticeable shift underway in crypto crime. Over the last year or so, hackers have seemingly been less interested in technical heists involving smart contract exploits, instead favoring the cyberattacker’s traditional target of choice – humans. Web3 security firm Peckshield revealed in its most recent semi-annual report that DeFi now accounts for close to 60 percent of losses to hacks, with fake links to DeFi platforms involved in the majority of incidents.

The issues this year haven’t been limited to smaller platforms that could be seen as easier targets, either – flagship DeFi lending app Compound was among those affected. Analytics platform Dune recently launched a dedicated dashboard tracking losses to hacks, specifically including social engineering attacks, further demonstrating the extent of the issue.

Viewed from a certain perspective, this shift could represent a positive development for the industry. After many years where smart contract bugs and exploits such as flash loan attacks became seemingly commonplace, maybe the current trend indicates that the industry has successfully raised the bar when it comes to the quality of the underlying code.

Furthermore, once a bug has been identified, protocols typically rush to implement a fix, meaning it’s a one-shot opportunity. In contrast, phishing in the Web3 waters, where users have historically struggled against the tide of poor UX, enables attackers to keep casting the nets again and again.

Security Innovations for a Web3 WorldThankfully, the most vulnerable elements of UX could soon be consigned to the past. One of crypto’s biggest security challenges has been the dependence on users maintaining their own seed key without a failsafe or a way to reverse transactions.

In an attempt to address this, some projects abstract away the poor UX by offering users options such as blind signing (signing a transaction without seeing all of the underlying data) or connecting wallets to social accounts. Unfortunately, these measures also introduce additional attack vectors for phishing fraudsters to exploit.

For instance, blind signing is frequently a legitimate requirement allowing DeFi smart contracts to interact with user wallets but is now also exploited as part of phishing attacks. A plausible enough copycat user interface with a requirement to blind-sign a transaction that gives hackers unlimited access to the wallet and its contents enables attackers to lure as many victims as they can before anyone raises the alarm.

Ivo Georgiev, CEO of Ambire wallet, explains one possible solution to tackle this problem.

“Transaction simulation is a feature that allows the user to clarify what will happen when the transaction is executed, ensuring they are fully informed of the possible outcomes. Transaction simulation will eliminate blind signing, a significant enabler of phishing attacks because you often don’t know exactly what you’re signing. It’s amazing how this has become the norm in our industry.”

Transaction simulation can help a user to understand the risks before they execute the transaction, but what about once they press send? A key UX challenge of blockchain is the lack of an “undo” button, while there are no anti-fraud checks or surveillance of the kind that banks routinely carry out to catch fraudulent activity before any money is lost.

Shady El Damaty, Co-founder of zero-knowledge verification protocol Holonym, outlines how it’s possible to implement a failsafe without compromising the secure immutability of the blockchain:

“Two Party Compute (2PC) is a new paradigm for maintaining a web standard UX (e.g., sign-in with socials) but assuming zero trust. With 2PC, the key is broken into two pieces ~ one that sits with the user and the other that is held by a company or decentralized network. Even if the user key is compromised by malware, policies on the second key can prevent large amounts of funds being transferred out or require additional verification.”

For an industry where, until relatively recently, the mantra “not your keys, not your crypto” was still commonplace, these are encouraging developments. Rather than blaming the victim for falling prey to hackers who exploit crypto’s historically poor UX, future users seem set to benefit from a smoother and less risky on-chain experience.