We have brought back one of our favourite guests for this episode.
Hit play and listen to Paul Walsh from MetaCert, who talks about how important it is to stay safe in the crypto communities on various platforms and how you can take measures to prevent attacks!
ABOUT THE GUEST
On today’s episode, we have one of our previous guests, Paul walsh who’s been ensuring safety whilst clicking on links. Paul is the founder of MetaCert, a security company that protects the crypto community from phishing attacks on mainstream messaging applications. He co-instigated the creation of the W3C Standard for URL Classification/Content Labelling and is one of the seven original Founders of the W3C Mobile Web Initiative. He owns a full patent for the checking of URIs for Malware and Phishing inside mobile apps.
WHAT’S NEW? (2.36)
We have been in the cryptocurrency world for 4 weeks now and we've already hit a 100 million messages inside slack alone. This shows how big our utility is. The number of people who received an alert is 58 k who are members of the community. And the total number of alerts should be more than that according to me. But these are the people who have MetaCert.
The only other security app relying on other companies like MetaCert to secure slack hit 16 million but we have 1.2 billion messages on the whole with 1 million in the crypto world
HOW MANY PEOPLE HAVE BEEN SAVED FROM MALICIOUS LINKS? (6:11)
We're monitoring all that and logging it all.
We plan to build a global central threat intelligence system. When we are monitoring communities, we see attacks happening over multiple communities with the same person being the culprit sometimes. We have come up with a way to stop attacks as soon as they are on slack API or chat bots. As soon as they happen, we catch the culprit who'll be immediately blocked. That website will be labelled. So that other people will know. The person will be banned. This will thus be based on behaviour of phishers.
SHOULDN'T THIS BE ON SLACK OR ANY OTHER SIMILAR PLATFORM ORGANICALLY? THAN JUST COMMUNITIES? (11:14)
We had a talk with slack and they are not interested in working with us. They wanted to use Google safe browsing API.
In my opinion that's a bad decision because I have a full patent and MetaCert already has the world's biggest advance threat intelligence system which would react much more quickly to phishing attacks. We're able to classify attacks in a way Google can't. Maybe they'll realise our advantage in the future.
Slack is designed for communities where by you verify the integrity of the person who joined. It wasn't designed to cope with communities where you would have people joining it without knowing if they can be trusted. Most companies with a huge number of employees are concerned a lot about internal hacks compared to external hacks. Humans are the weakest links not the software.
What I articulated to slack was that they need to be mindful about communities because they comprise of thousands of powerful people are working in big companies who're probably going to never use slack in case there's a problem with security. This would be a huge customer loss for slack. And Instead of saying we don't support communities they need to take actions to protect them.
WHAT ABOUT TELEGRAM? YOU SAID THAT YOU WEREN'T ON IT THE LAST TIME WE SPOKE (13:31)
We’re currently doubling down on slack which is a bigger challenge for the vast majority of people in crypto. Thus, we're not working on telegram now.
We're working on browser add-ons which will protect you in a similar way our slack app does.
We will put telegram on the roadmap. Nothing until 3-4 months. Which we realise is a long-term in the crypto world.
ARE YOU LOOKING AT OTHER THREATS OR JUST PHISHING? (15:16)
We’re looking at Wallet address. When you open a website, which is verified you are able to see the URL in green. We want to do something similar with wallet addresses I have spoken to certificate authorities to make crypto wallets have cheaper extended valid certificates to prevent phishing attacks.
HOW DO WE SPEED THIS UP AND HELP MORE PEOPLE KNOW ABOUT THIS? (16:50)
Every crypto company with slack needs to have MetaCert. Educate people about checking URLs. I'm working on two manuals, one for companies and one for investors. People working in crypto companies need to be mindful about their own security by making sure they're shredding documents and changing passwords every couple of months. Use two factor authentications. Use Google authenticator. Things like that help educate people.
I'VE BEEN ASKED IF METACERT SHOULD DECENTRALISE ITS DATABASE AND WHY PEOPLE SHOULD TRUST METACERT. (18.53)
We started research on whether it was feasible to decentralize our database so that we reduce the risk of MetaCert becoming the single point of failure. We’re able to cope with brute force attacks. Decentralizing our database is new to us. We’re looking closely at doing it. We’re always looking to address the problems faced by the crypto world.
ANYTHING ELSE YOU WOULD LIKE TO SHARE THAT WILL HELP OUR LISTENERS? (22:00)
It would be rude for me not to bring up Equifax. Unfortunately, it’s easier to attack than to defend. To have a third of all people to have their social security number exposed and compromised is very scary. To have Equifax be the central point of failure is very scary. It’s ridiculous how easy it is to steal your identity in the US. If this was decentralized where we didn’t have one point of breach, that would be good.
In the crypto world, everybody needs to wake up now. Everybody in this world has a target on their back. Not just individuals, companies, ICOs, have a target on their back. We’re going to see easy compromises. We’re going to need to stop and think. Use different passwords for different websites. Use two factor authentications. Look at all your social media accounts. Educate people in your company. Constantly remind them about the importance of being proactive. People are going to look for information from your trash bins. If you can go into somebody’s crypto world, you empty it. Cyber criminals are going to get much more sophisticated.
My strategy is to try and strike up partnerships with companies that work with token launches and ICOs. The more information we put out through podcasts like this, for the community, the better. The developer community excites me. It takes a lot to gain their trust. When they see that you care, when they believe in you and see that you’re trying to solve a problem, they tend to help you back. That’s what excites me.
Another observation is when I see banks telling people to click a link to open a secure message inside a browser. It just becomes easier to phish people. As for hacks, they hack, they steal and then they upload to the dark web where they sell that information to potentially tens or thousands of people. They make it easy for people to search that data.
SO IF BANKS SHOULDN’T SEND YOU LINKS TO CLICK, WHAT SHOULD THEY DO? (33:00)
Just send you the email! Asking you to log into your account and not ask you to click links. I spoke to a bank about this. In the crypto world, you will get people saying, don’t be stupid. I’m frustrated by seeing so many people lose money. You’ve always got new people coming into the crypto space. Aside from Coinbase, everything else is a complicated process. It’s going to be difficult to tell people what to do and what not to do if everything’s this complicated. You can’t expect mainstream people to comprehend all that. One of the biggest opportunities is to improve the UX and UI in the space.
One of the things that we’re working on is a trust mark for MetaCert. When investors see the trust mark, they know that best practices are being followed.
view more