Opinion: An immediate change in security approach is crucial for Web3’s evolution

Disclaimer: The opinions expressed in this article are solely those of the author and do not reflect the views and opinions of the editorial team at crypto.news.

Over the past two decades, the banking industry has experienced a significant transformation in its approach to fraud detection and prevention. In the past, fraud analysts relied on intuition and direct communication to identify and address fraudulent activities, often collaborating with law enforcement. With limited payment options like bank transfers, credit cards, and checks, detecting and controlling fraud was relatively straightforward. Merchants utilized secure transaction services to verify cardholder identities, while banks employed rule-based mechanisms to combat fraud, disregarding the intricacies of cardholder profiles and behavior.

However, the landscape has dramatically changed in recent years. The shift to EMV chip cards for Card Present transactions has shifted the focus to online and mobile channels. As payment methods diversified, fraudsters adapted to the digital realm and our hybrid lifestyles, leading to the emergence of new threats. This necessitated a strategic shift in fraud prevention departments, prompting the adoption of new technologies to detect and prevent fraud.

Unfortunately, addressing these challenges in the current centralized and monolithic banking system is not an easy task. The existing bank infrastructures are designed for closed ecosystems, making it easier to detect fraud due to the abundance of customer profiles and habits. The concept of a malicious actor is unfamiliar in this context. Simply put, banks detect unauthorized payments not because they can identify a bad actor, but because they are familiar with the customer’s behavior and can recognize when a payment doesn’t align with it.

We are now witnessing similar processes unfolding in the web3 space. The disruptive nature of web3 has exposed numerous vulnerabilities. Currently, the focus is on patching these vulnerabilities through smart contract audits and bug bounties. However, users are often left to navigate the complex landscape of scams and attacks on their own. Similar to the banking sector, many security measures in web3 are reactionary, focusing on investigating incidents after they have occurred rather than proactively preventing them. Additionally, creating standard user profiles is challenging in the liquid blockchain environment, where users can use different addresses for various tasks.

The user experience in web3 is also a crucial consideration. Expecting every web3 user to navigate the complexities of working with investigation agencies and security solutions is unrealistic. Some users have taken matters into their own hands by installing security extensions to protect their wallets. However, the need for such measures highlights a fundamental flaw: security is not the default state in web3, which it should be.

To address the security issues in web3, an integrated approach with core infrastructure is necessary, similar to the evolution of security in the banking and cashless payment industries. In this environment, users should not be burdened with the responsibility of protecting themselves against fraud and attacks. Security should be inherent in the web3 technology itself, rather than an optional add-on.

Drawing a parallel to a dangerous street full of criminals, the current approach to web3 security is akin to providing body armor to individuals while neglecting to eliminate the possibility of crime and make the entire street safer. Simply providing basic self-defense measures to users does not guarantee their security, as malicious actors can easily bypass these measures. This leaves the average user vulnerable and inadequately protected.

For example, the Angel Drainer attack on Balancer in September 2023 highlighted the vulnerabilities in the web3 space. Attackers hijacked Balancer’s DNS, compromising its interface and leading to phishing attacks on users’ wallets. Over 1,500 victims lost a minimum of $350,000. Would installing security extensions or MetaMask snaps on each of these wallets have been an effective defense? There is no certainty, as most security solutions rely on blacklists that include known scam addresses.

The current security tools available are reminiscent of antivirus programs that require knowledge of existing viruses to provide protection. However, the blockchain environment is fluid, with scammers easily switching addresses to evade detection. Moreover, detecting scams with a high level of certainty takes time and human investigation.

It is crucial to recognize that the most defenseless users are often unaware that they are interacting with web3 applications in the first place. As web2 interfaces increasingly serve as gateways to web3 applications, web2 users will be at an even higher risk of falling victim to scams.

To create a genuinely secure web3 environment, security must be integrated into the core infrastructure. It should not be an afterthought or an optional feature. This requires collaboration among all stakeholders in the web3 ecosystem, including developers, platform providers, regulatory bodies, and end users.

Users should demand solutions that prioritize not only basic functionality but also security and protection. Infrastructure providers must ensure their systems are fortified against attacks and provide secure access points to the blockchain. RPC and Node providers play a crucial role in multiplying access to security protocols and protecting end users.

Regulatory bodies should broaden their scope to include user protection in the web3 space. Regulations should encourage the implementation of robust security measures without compromising decentralization. The focus should be on creating a safe environment for all users rather than solely targeting illicit activities.

In conclusion, the evolution of web3 security requires a shift from reactive measures to proactive solutions. By integrating security into the core infrastructure and engaging all stakeholders, we can cultivate a web3 environment that is innovative, decentralized, and, most importantly, safe and trustworthy. This commitment not only safeguards digital assets but also ensures the trust and confidence necessary for the success and growth of web3 technologies.