Cybersecurity and the metaverse
While there’s still some debate about precisely what the metaverse is, more and more people are participating in metaverses both on the blockchain and on existing web interfaces. Unfortunately, today’s metaverses are being developed with security as an afterthought.
While security tools will most certainly be developed over time, for now businesses and individuals need to consider the following challenges when participating in the metaverse:
● Ensuring digital ownership of virtual goods and NFTs and preventing fraud
● Protection of personal information
● Lack of security in metaverse software
● Protection of personal keys, seeds, and logins
● Lack of privacy (the walls are literally listening)
● Social engineering and cyberattack risks
● Blockchain security features and shortcomings
● Money laundering risks with crypto assets
● Business cybersecurity in the metaverse
The blockchain industry has shrugged off the risks of its technology by declaring the importance of people taking individual security measures. The lack of built-in security in the metaverse means companies and individuals alike must be highly vigilant in protecting their businesses and employees when using this nascent technology.
What is the metaverse?
The metaverse is the next natural evolution of the World Wide Web. Rather than the flat website world we’re accustomed to navigating, it attempts to integrate more natural interactions that mimic the 3D world.
In the metaverse, a character can enter an office or storefront, walk around a room displaying a company's products, and even try them in a simulation environment.
There isn't one metaverse but multiple different online worlds. They fall into several categories: virtual worlds with storylines like games and comic books, worlds that mirror real-world locations, augmented reality, lifelogging, and virtual environments for business and entertainment.
Firstly, blockchain creates the means to issue currency, and online games have had their own in-game currency for decades. Secondly, blockchain technology allows the creation of unique and certifiable digital items, so people can actually own "land" and other items in a metaverse using technology that gives them a type of indisputable title deed.
The combination of money and ownership rights is creating new digital economies. Unlike before, these digital economies do not need to be owned, held, and maintained by a centralized gaming company — the ownership can be distributed among the players.
The potential of these blockchain-based metaverses has unleashed unbridled enthusiasm. Many experts believe that just as every business has a website today, in the future, every business will have a metaverse representation.
Older Web 2.0 technology can also include metaverses. Games such as Second Life and Minecraft would qualify as metaverses by this loose definition. Similarly, online conferencing technology such as Gather and Topia are virtual offices that could be considered early business-oriented metaverses.
Why metaverse security is important
Metaverse activity, for the most part, is economic activity. Whether someone’s playing a game to win crypto tokens, streaming gameplay for advertising revenue, attending meetings in a virtual world, trading digital collectibles, or building their online presence in a metaverse, all of this activity has real-world financial value.
Even more subtle and pernicious, metaverse activity has a fantasy or game-world feel to it — so people may not be careful with their actions. Conversely, some people display behaviors that don't reflect their real-world personalities but might have implications on their real-world reputations. Using an avatar can make them think they’re anonymous, but with weak or non-existent security, uncovering someone's real-life identity can be easy for an attacker.
This combination of weak security, monetary and financial activity, and the vulnerability to thinking simple chat is harmless creates a perfect attack vector for malicious actors.
Relevance of the metaverse to business and enterprise
Businesses are just beginning to experiment with the financial, entertainment, and promotional aspects of the metaverse. While nobody really knows how the metaverse will evolve, the following potential use cases are examples of the opportunities being explored:
● Online virtual conferences, art galleries and sales, and meetings
● In-game and in-metaverse advertising
● Purchasing of virtual lands for development, sale, or investment
● "Parking" of virtual lands (similar to domain name parking)
● Creating virtual buildings and games that are sold onward to another business
● Advertising in the metaverse
● Virtual promotional activities, such as giveaways of digital collectibles, contests, or tournaments
● Production of digital items that can be used in games
One of the fastest-growing business opportunities in the metaverse is the play-to-earn game phenomenon, popular particularly in low-income countries in Southeast Asia. Players earn cryptocurrency for playing and competing in these games. Potential income can range from $5 to $50 per day of playing.
In some countries with high inflation rates, local businesses will even accept these in-game cryptocurrencies instead of legal tender. It's possible to imagine emerging markets where the only way to sell would be by using the cryptocurrency used by the local population.
Digital ownership and NFTs
For many years now, players in online games like Second Life and Minecraft have spent hours building, making artistic creations, and designing experiences that become part of the game for other players. Yet, until the advent of NFTs, in most cases, people could not own or track ownership of their in-game items. While SecondLife and World of Warcraft did allow in-game ownership, the ownership was centralized within the game rather than being public and easily exchangeable.
Blockchain metaverses use NFTs to develop true ownership of in-game items such as lands, weapons, buildings, and avatars. In-game NFTs sell for anywhere between tens to hundreds of thousands of dollars.
NFTs carry two major security risks: theft and fraud. Theft is more difficult as people hold their own cryptographic keys, although some users don’t know how to secure them. Fraud can happen when people are not careful about how they purchase NFTs. Within the metaverse or on official NFT marketplaces, people can find reliable sellers, but it’s still possible to pull off scams.
Identity gap in the metaverse
Rather than use real identities, in the metaverse people and businesses are identified using pseudonymous handles or nicknames. It's fairly easy to fake a company name or pretend to be someone else.
While the blockchain has promoted the use of monikers as part of the privacy offered in the network, it's also a major risk factor. Using fake names allows people to engage in a myriad of unethical behaviors and get away with it. Add to the mix that cryptocurrency holders generally use VPNs when accessing the metaverse, and it can be almost impossible to trace the sources of fake identities.
While several identity startups have launched in the blockchain space, no reliable identification standards have been implemented, which opens the door to a large range of potential fraudulent and unethical behaviors.
It's impossible to monitor all of the different metaverses; someone could pretend to represent a business and do untold harm to the real business's reputation. In a decentralized system, it's unclear how to resolve this kind of fraud and what authorities would have the jurisdictional authority to do so.
How metaverse is (not) addressing security
Unfortunately, to date, the metaverse development community has done almost nothing to address the blatant cybersecurity issues. Because anonymity and transparency are heralded as virtues, the industry in general has indulged in shoddy cybersecurity practices.
While security-minded people and companies can find safer ways to participate in the metaverse, these are still emerging online technologies with a higher threat level than more established ones.
Blockchain has some intrinsic security features, such as protection against network attacks, punishment of bad actors, consensus mechanisms, and privacy. However, hacks are still common.
Keys, seeds, and secure logins
Blockchain gives users control and real ownership of their online assets. Using non-custodial wallets, the users hold their own cryptographic keys and seed phrases that allow them to access their crypto assets. Non-custodial ownership means that if someone loses a seed phrase and key, they simply cannot access their cryptocurrency.
There’s no authority that can recover the keys or give them login access. In this system, there’s no bank or government that could confiscate crypto assets, but on the downside, there's nobody to go to if you lose your sign-in credentials.
Problems arise when people don’t securely store these keys. People who store any of their cryptographic or metaverse login information in a digital format are in danger of having their computer hacked and their assets stolen. As with any type of password, users may be vulnerable to attacks from spyware that can detect when the user logs into any crypto account with valuable assets.
Personal data, eavesdropping, and metaverse privacy risks
Social engineering attacks take on a different nature in the metaverse, because to some degree all "rooms" are bugged. Metaverse developers may store information about chats, and something that looks like an inanimate object could actually be another player eavesdropping on a conversation.
In many metaverses, there's nothing stopping users from recording or broadcasting their movements and activities — or recording others without their knowledge. Identity theft and other hacks can result from the social engineering that happens through eavesdropping or indiscriminate recording of information.
Money laundering and crypto assets
While not strictly a security concern, crypto assets have been used for a variety of money laundering activities, because crypto can be moved in seconds.
Since tax regulations have failed to keep up with this technology, those with metaverse assets may find themselves inadvertently evading reporting or tax requirements. Consulting a lawyer or accountant is only a partial solution — to stay on the right side of the law, it’s advisable to act as if these assets are taxed the same way as real-world ones.
Safety with Acronis
While metaverse-oriented security products are still not mature, basic data storage and protection is something every company should be interested in.
Acronis Cyber Notary Cloud is one of the first blockchain-based services for file notarization, e-signatures, and verification for small businesses to enterprises. Designed for service providers, Cyber Notary Cloud enables customers to ensure the authenticity of business-critical data, achieve regulatory transparency, and mitigate security risks.
While Acronis doesn’t yet have a presence in the metaverse, the team looks forward to the potential of blockchain metaverses in the next evolution of online business.
Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 2,000 employees in 45 locations. Acronis Cyber Protect solution is available in 26 languages in over 150 countries and is used by 18,000 service providers to protect over 750,000 businesses.