It’s only in early form, but companies are already entering the metaverse space, with major banks and wealth management players including JPMorgan and Citigroup launching virtual buildings for users to visit and explore.
However, a host of security vulnerabilities have prevented significant progress in traditional banking transactions in the metaverse, with crypto heists still raising concerns about the secure interoperability of private funds.
What is the metaverse and what does it have to do with banking?
HSBC, a major investor in the sector, defines the metaverse as “a new virtual world where our physical and digital lives effortlessly converge to create a unified space where one can work, play, socialize, transact and communicate.”
If these realities ever “come together effortlessly” in a true sense, then real world wealth must be accessible, usable, and secure in both.
The metaverse has the potential to create countless opportunities for the banking industry, from new revenue streams to easier achievement of ESG goals, particularly related to financial inclusion and demographics. However, emerging platforms are inevitably exposed to risk as cyber attackers exploit vulnerabilities in new technology. Until customers can trust that their money is adequately protected, traditional banking in the metaverse will remain a utopia.
Will the metaverse change banking?
The metaverse has yet to take off, with reports that Decentraland only attracted 38 active users in a single day in October 2022. It appears the “move” to the metaverse is little more than a tentative move at this stage.
GlobalData’s recent sentiment surveys revealed that 42% of respondents believed the metaverse would not cause disruption, while only 23% said disruption to the theme would be “significant.” However, the negative sentiment has not stopped banks from investing: 431 metaverse-related deals made in the industry between Q1 2017 and Q1 2023.
Significantly, more than half of these were venture capital deals, demonstrating that the theme is still in its infancy; there is clearly deliberate investment in the growth of the technology, and the reverse could still have an impact on the banking industry.
What are the risks of banking in the metaverse?
Retail banks are particularly at risk when moving to the metaverse. GlobalData analyst Suneet Muru explains that the growth of the metaverse carries an inherent risk: “As people become more interested in the metaverse, they are more likely to trust the platforms with sensitive information, which will be exposed if those platforms are hacked. Security risks are especially the case for asset managers who perform extensive KYC checks on their clients and therefore store a lot of private data.
Private banks hold extremely valuable personal data, often of prominent and wealthy individuals. While they generally contain less data, it is likely to be of greater value to a hacker.
Speak against PBI Ali Qureshi, chief revenue officer and co-founder of SideDrawer, explained that sensitive data is “extremely valuable to adversaries in the space because there is a market for an individual’s personally identifiable information that can be bought and sold on the dark web ” .
This appeal has historically made email the most popular target for cybercriminals: a single click on a malicious link can expose a dialogue between clients, asset managers and lawyers. In 2022, 21,832 Business Email Compromise (BEC) scams were reported to the FBI, with adjusted losses in excess of $2.7 billion. As banking enters the metaverse, so will a wealth of desirable data, and attacks are bound to follow. It’s a relatively unregulated space, making the metaverse a wild west for scammers.
How did cybercriminals attack wealth in the metaverse?
There are three primary ways cybercriminals steal cryptocurrency: bridge attacks; attack wallet; and DeFi vulnerabilities.
According to Chainanalysis, bridge attacks are the method of choice for digital thieves, accounting for 69% of stolen funds by 2022. Because blockchain-based, metaverse platforms are particularly vulnerable to these attacks. Cryptocurrency interoperability is enabled by cross-chain bridges connecting blockchains; these bridges are less secure than the blockchains, allowing hackers to access funds.
The 2022 Ronin Bridge hack remains the largest crypto heist on record. It happened when the Lazarus Group accessed five of the nine transaction validator private keys for the Ronin’s Network cross-chain bridge. Axie Infinity, a popular play-to-earn blockchain game, had stolen funds worth $620 million from Ronin, the Ethereum-based blockchain. Only about $30 million of the stolen and laundered funds have been recovered.
Crypto wallets are also at risk of being hacked. Funds are secured by a key, either by a third party (in a custodial wallet) or by the user (in a non-custodial wallet). Hackers will attempt to access this key by installing malware that allows them to collect the key when the wallet is connected to a decentralized finance dApp during a transaction. The key allows cyber attackers full access to the wallet’s contents and allows them to make malicious transactions.
AI poses a new threat to metaverse security, with studies already successful in jailbreaking LLMs such as Chat GPT. This can quickly become a slippery slope for cybersecurity.
“In the past, a bad actor had to know how to develop some kind of code,” Qureshi explains, “These very free AI tools available to you – which are only getting more powerful – can write content that is even more dangerous. , you just added a huge amount of gas to the fire.
How do banks avoid being hacked?
According to GlobalData Task analysis, banking and payments companies hired more than 150,000 cybersecurity professionals in 2021 and 2022, the second highest number of any industry. The trend suggests that banks are aware of the risks and that cybersecurity remains a primary concern for the industry.
Blockchain security is still evolving, but cryptographic techniques are already crucial to prevent third parties from accessing private data; by encrypting data using hash functions and blockchain asymmetric encryption, data is secure and immutable. Blockchain also uses a consensus mechanism to validate networks and support the immutability of completed transactions.
Identity theft in the metaverse
Bank safety has long been threatened by identity theft, a problem complicated in the metaverse by the use of personalized avatars. A malicious party can log into another user’s account and access their funds while donning a digital disguise. This way, scammers can also target the original user’s acquaintances, tricking them into transferring money or sharing personal information under the guise of an avatar they believe to be their friend. Multi-factor authentication will be the obvious way to mitigate this risk, but with little regulation around the metaverse currently, it’s unclear exactly how this will manifest.
Failed startup, SELF, became a prime example of the importance of authenticated identity when partner, Evolve, pulled the plug on the project on launch day.
Speaking to Tech Round in February 2021, Elliot Goykhman, CEO of SELF, had promised that: “simply tapping menu buttons in any of these messengers is all it takes to issue a virtual Mastercard or Visa card in under 30 seconds. No need to scan documents and upload selfies with a passport to get started – perfect for those who don’t have ID to hand, not in perfect lighting conditions or whatever.”
Without KYC checks, the bank was immediately vulnerable to bad actors, and Evolve quickly shut down the operation.
Preliminary moves to the metaverse have been successful, although traditional transaction banking is not yet a reality. Qureshi considered how this style of banking could come about: “I’m sure some banks are looking into how best to offer this option to their customers in a secure way. It’s probably just a matter of time and market interest for them. I suspect they need to ensure that the players providing this service meet their due diligence and security requirements.”
Crypto wallets will be a growth area for asset managers and private banks and provide a new revenue stream.
Speaking about how banks should consider security in the area, Muru explained that “if asset managers decide to offer custodial metaverse wallets, they need to make sure they have robust internal measures in place to protect users’ funds, but this is exceptionally difficult when the crypto space is still emerging and the technological foundations are still developing. If they offer non-custodial wallets, they should make sure they inform customers of the measures they need to take to protect their money themselves, but again, there’s only so much you can do when there are so many exploits.”
Currently, several banks have already “built in” the metaverse: Citigroup has opened a digital twin of its Global Wealth Center, while Deutsche Bank has launched “Wandel,” a virtual campus and employee metaverse. HSBC, JP Morgan & Chase, and DBS, among others, have also entered the metaverse this way