Cybersecurity and the Metaverse: Identifying the Vulnerabilities

As you browse your countless social media platforms, hop online to read reviews of the new restaurant that opened just down the street, or log into your favorite virtual store to buy a birthday present for your mom, you might have no meaning in your online life changes. Chances are, however, that the digital status quo won’t remain the status quo for much longer.

Indeed, there are many pretty in-depth indicators of a sea change coming. Zuckerberg recently rebranded Facebook as Meta. Microsoft is currently in the process of acquiring gaming giant Activision Blizzard for nearly $70 billion. Even the iconic fashion house Ralph Lauren has launched a line of virtual clothing and accessories.

So what is it that is causing such seismic shifts in the worlds of both technology and commerce, and why should you care?

It’s the metaverse and the tech world is buzzing. You’ve probably heard the term yourself, but it might not be clear to you what it’s all about.

Understanding the Metaverse

In a nutshell, the metaverse is a new enhanced version of the internet that uses virtual reality and augmented reality (AR/VR) to provide a fully immersive experience of the online world. In other words, it’s a version of the web where “you”, in the form of your online avatar, can work, play, get an education, shop and socialize with friends – and feel like you’re really there.

The metaverse is essentially an alternative to our physical world, but without many of its limitations, such as the limitations of geographical distance or the hindrances of real, living bodies.

Sounds pretty exciting, right? Well, yes. However, there is a downside. Experts predict that the metaverse will amplify the cybersecurity challenges that already exist online today, while introducing a host of new ones, both those we can predict and those we can’t yet.

For example, research shows that cybersecurity threats, as well as cybercrime, are increasing rapidly and dramatically, increasing by 50% or more, year over year. According to recent forecasts, the annual cost of cybercrime will exceed $10 trillion by 2025, and that the primary commercial targets are unlikely to be finance or commerce. Instead, other key industries are being targeted by cybercrime, such as real estate, education, and agriculture.

If and when the metaverse emerges to replace Web2, experts warn that these trends will only worsen and that the consequences of cybercrime, like the metaverse itself, could be an extreme improvement on what currently exists.

identity security

The metaverse is designed to function through the use of digital avatars that each user creates for themselves. Ostensibly, this avatar will be both unique and secure, allowing the real human he represents to use his Personally Identifiable Information (PII) and other sensitive information to make purchases, do work, and even receive healthcare.

In addition, the avatar allows the user to interact with others in the digital space, including working with colleagues in a virtual office.

The concern, however, is that because the avatar is essentially the key to your private offline information, from your PII to your financial accounts, if a hacker gains access to your avatar, he could open the door to your entire life. This holds the potential to take identity theft to an unprecedented level.

However, identity theft in the metaverse can also take a different, and perhaps even more sinister, turn. If hackers gain control of your avatar, they can engage in behavior that can damage your relationships, reputation and even jeopardize your offline security.

A particularly alarming form of this kind of identity hijacking is the ‘deepfake’, where bad actors impersonate another person in the digital space. Deepfake videos have already been created online of both celebrities and ordinary citizens, using technology so advanced that it is almost impossible to distinguish between the deepfake and the real person.

NFT and bitcoin scams

The metaverse will function through its own forms of currency, including cryptocurrency such as Bitcoin, as well as various types of non-replaceable tokens (NFTs). While NFTs and cryptocurrencies can be collected, exchanged, spent or lost in the metaverse, just as fiat currency is used in the physical world, the process of buying these digital currencies starts with traditional money.

Just like in the physical world, scammers and thieves will flock to anything of value, and the metaverse, despite being still in its infancy, has already been the site of some pretty jaw-dropping scams. In fact, it is estimated that more than $14 billion worth of cryptocurrency was lost to fraudsters in 2021 alone.

For example, the infamous Hyperverse scam offered metaverse residents the chance to purchase tickets to a concert series in the metaverse using crypto to purchase NFT tickets. The event received a lot of publicity, not only within the metaverse, but also in traditional and social media, and aroused huge interest. There is to date no evidence that any of the heavily promoted events ever actually took place.

Significantly, because theft in the metaverse generally involves blockchain technology, it is nearly impossible for law enforcement to track down the culprit. This is due to the decentralized nature of blockchain, which erases all records of the chain of ownership.

Biometrics and data hacks

One of the most troubling of the potential cybersecurity threats in the metaverse is the risk of biometric hacking. Because the metaverse works through VR/AR, users will need to wear VR headsets and possibly other VR/AR technologies, such as haptic gloves.

These can be used in certain parts of the metaverse for biometric identification, such as by iris scanning. Critics fear, however, that hackers could gain access to this biometric data, allowing them to not only gain access to sensitive accounts, but also give them access to private information about the end user’s physical functioning and medical status.

This is particularly a concern given the infamous history of nefarious data collection practices by entities such as Facebook. Critics argue, for example, that if platforms like Meta have access to voluminous biometric data about their end users, those data archives could be hacked or, worse, sold without end-user consent.

physical safety

The immersive environment of the metaverse can also compromise the physical security of end users in the offline world. For example, if a hacker takes control of someone’s account, they could potentially manipulate what their avatar sees, hears, and does in the virtual space.

However, activity in the metaverse can also easily translate into activity in the physical world. The immersive experience of the metaverse means that users can easily become disoriented as their senses no longer register their actual physical environment. A hacker can manipulate the metaverse environment so that the user responds physically, but is unaware of his physical environment. This can even lead to life-threatening situations, as hackers can manipulate end users to unknowingly enter traffic or go down stairs.

This could be a particular concern for parents whose kids are already gaming in the metaverse. Fortunately, it is still possible to follow the gameplay in the metaverse, for example by having children project their game world onto the family television so that parents can continue to watch better.

The takeaway

The metaverse is truly a brave new world, a world of immense promise and potential. The metaverse can revolutionize the way we work, learn, play and socialize. However, the cybersecurity threats posed by the metaverse are very real, and it is the job of the metaverse creators, governments, businesses and individuals to understand and guard against these threats.

Charlie Fletcher is a freelance writer on technology and business.