Hacking in Web3 is easy because it uses the same pattern that’s been used since the inception of the internet — pretending to be someone else.
Due to the complexity and the “cool factor” of Web3 projects, one can easily — and mistakenly — assume that it takes Mr. Robot level of advanced hacking techniques to pull off a successful attack. In truth, however, it only takes a sinister ad placed on Google search results, an impostor Telegram group or a deviously-crafted email to break the security barriers of the Web3 ecosystem.
Blockchain projects can use top-notch smart contracts, securely integrate crypto wallets and use best practices in each digital step across the board. But they still need help with the social aspect of user protection.
Web3 takes the “ownership” from central entities and distributes it to users to democratize the internet for everyone. It gives power to the user.
But, attaining this power of ownership also comes with significant responsibility. Users need to understand how crypto wallets work, how transactions are made, and how assets are stored — and the steep learning curve is not helping.
Cointelegraph sat down with Dmitry Mishunin, the CEO of blockchain auditor HashEx, at Istanbul Blockchain Week to speak about the ins and outs of Web3 from a security expert’s perspective.
Cointelegraph: You were working on Web3 before it was even a thing. How do you describe or frame Web3?
Dmitry Mishunin: I think the main feature [of Web3] is the control of funds is the users’ responsibility, and this is a fascinating paradigm.
Web1 is just a read-only experience. You can get the information and get the context, but you can’t do anything with it. Web2 is a read-write mode — you can upload something. And Web3 is read, write, own.
This is a crazy responsibility for the end-user because they didn’t have such an experience before. We see lots of problems in security because people don’t realize that this is their personal responsibility against their own assets. People are not ready for this.
CT: How do you think Web3 differs from others regarding security and user protection?
DM: It comes with a new level of security and a new level of smart contracts. It’s not only about the privacy of smart contracts; it involves all the infrastructure of wallets, users, their mission and so on.
When a huge bank lacks funds, governments can provide the funds, not as credit. They buy the bank for $1 and give government funds. The Web3 infrastructure is not ready for this because governments and huge regulators don’t think it’s worth it, or they don’t think they can trust this ecosystem.
For example, if I had a PayPal account, I’d be 100% sure that PayPal kept my funds safe. And if someone steals it from them, [PayPal] will return it to you, or maybe I can go to court. At the end of the day, they will return my funds. It’s hard to understand you have a personal responsibility for these funds [in Web3] — it’s hard to realize.
Phishing continues to be a major threat in Web3
DM: Even in HashEx, a security company, we lost about 100,000 dollars in the previous year — not in scams, not in risky investments, but in human mistakes. We had a crucial phishing experience when our employee wanted to make some swaps on Pancakeswap, searched for Pancake on Google and didn’t realize that she was clicking a link from the Google Ads, not from the search results.
It had a pop-up that looked like a MetaMask window. The pop-up said, “you have an error in your MetaMask,” and she entered her seed phrase.
CT: So, in short, smart contracts will be safer, but phishing will still be the main pain point in web security. Will the social aspect of security be the main business for companies like HashEx?
DM: We can reduce phishing attacks because it’s mostly about knowledge and understanding of how swindlers are tricking users. It’s not about the cyber police or the auditors because executing such attacks is easy. You can just create a Telegram group and message users. It’s impossible for security companies to cover all this stuff.
However, we sure can help with this level of understanding of users, and we do. We have HashEx Academy. We are making lots of content about it. After some time, people should gain a better understanding of how Web3 should work.
CT: Is it possible to stay anonymous in the Web3 environment?
DM: It’s only possible if you don’t withdraw any funds and transfer them from Web3 to the real world. If you want to withdraw funds from Web3 to the real world, the risk of losing anonymity appears immediately.
CT: Metaverse and blockchain gaming are the top trends for Web3 right now. Do we have any other trends besides those?
DM: The Internet of Things (IoT). It’s a powerful trend. It’s excellent when those devices can exchange data with smart contracts or with each other.
There are a few smart devices in my house, like a washing machine and a dry washer. I use these IoT features. It’s good for me, and I think integrating more complicated systems will be fine.
CT: Why do you think blockchain-based IoT would become a trend?
DM: It’s because the companies lack universal support for IoT. For example, there is a massive problem with availability in different countries or different regions. If you speak about Amazon or eBay, they have different databases and websites across the world and every couple of hours, or every couple of days, they synchronize them. But they surely don’t use the same database for North America, South America or Europe.
And, if you are a technology vendor like LG or Samsung and you want to connect all the devices across the world, you have two options. You either have different hubs in different regions and synchronize them, or you use something like a blockchain. So, for the high reliability of this process, blockchain and Web3 are helpful.
CT: What do you expect from the Web3 industry for the upcoming year?
DM: Standardization. We have to ask for more and different spheres of blockchain. We have to ask for other ways of transferring funds between blockchains. Bridge standardization — it may have more tools and more frameworks. It’s really useful.