How crypto tokens became as unsafe as payment cards once used to be

Last month, hackers stole roughly $100 million in cryptocurrency from Harmony blockchain bridge. It looks like another wave of the recent storm that started almost a year ago. In August 2021, DeFi Poly Network was breached with $600 million robbed from the user accounts. Then, in February 2022, hackers stole $320 million from the users of crypto trading firm Wormhole. It was followed by another breach in March when hackers pocketed nearly 600 million dollars in crypto from an online gaming company by exploiting a crypto payment system Ronin Network. 

To less sophisticated users, it might sound like blockchain technology is vulnerable, which is not necessarily true. For example, some “core” blockchain code such as Bitcoin can still be trusted because it is based on strong cryptography and has been scrutinized by millions of users, including hackers, for several years. But new tech like Harmony must be in beta testing for months or even years before it can be considered safe.

It’s incredible how people trust their money to untested, uncertified code. Traditional financial and payment software goes through excessive testing and regulatory compliance certifications before it moves to production, yet there are still security incidents. But crypto software is not regulated, so no testing requirements or certifications exist. 

The new crypto fintech era

It seems that crypto fintech is undergoing the same saga as the one experienced by the payment card industry during the 2000s and 2010s. During that time, card data breaches were popping up daily, exposing millions of records of cardholders’ sensitive information. In many cases, hackers sold the data on the darknet to other criminal gangs for further “monetization.” Those secondary groups specialized in creating fake plastic cards using stolen cardholder information and cashing them out by online or in-store purchases. 

The payment card industry cracked down on those security issues by creating payment card industry security standards (PCI DSS) and forcing players such as merchants, banks, and payment processors to follow the rules. Another robust measure to fight the payment cards fraud was implementing new payment security technologies such as point-to-point encryption, chip&pin (smart cards), and secure online payment processors like PayPal.

Crypto fintech does not have all those security standards and technologies yet. The coins and tokens are as bare and vulnerable as plastic payment cards with magnetic stripes with account numbers embossed on them. Note: Such cards still exist, but are much more protected today. It took several years for the payment card industry to realize that an existential threat must be addressed. The latest mega crypto breaches signal that the blockchain industry needs to recognize it and begin learning from the lessons of its predecessor. And users should be careful and think twice before trusting their money to adventurous technology. 

Slava Gomzin is Director of Payments and Cybersecurity at Toshiba Global Commerce Solutions and an expert in blockchain technology. He is the author of Crypto Basics, Hacking Point of Sale and Bitcoin for Nonmathematicians. He is also cofounder of the Lyra blockchain.