In offering rich hyper-real 3D content and virtual interactions, the metaverse harbors privacy and fraud risks that are all too real …

The metaverse can be described as a possible evolutionary path of the internet, made up of digital shared spaces that exist in parallel with the real world. 

One of the most immediate opportunities for brands to engage with their audiences via the metaverse is to create immersive and interactive experiences such as virtual concerts and 3D showrooms. 

However, some people are already experiencing problems with this virtual world in terms of privacy, on social media platforms, as Philipp Pointner, Chief of Digital Identity, Jumio, explained to CybersecAsia.

CybersecAsia: Can you describe how privacy and cybersecurity issues can arise in the metaverse?

Philipp Pointner, Chief of Digital Identity, Jumio

Philipp Pointner (PP): With security and privacy risks already prevalent on social media platforms, the metaverse (which extends the features of such virtual communities) could exacerbate the situation. 

With social media, users upload photos and videos showing snippets of their lives. In the metaverse, users can deploy virtual reality, augmented reality or mixed reality to create completely independent entities, so the room for crimes such as identity theft and cyberbullying will be amplified.

By design, the metaverse is meant for users to create an identity that is a very close representation of themselves. This means capturing little details such as gestures and reflexes. In fact, a 20-minute VR session can generate approximately two million data points and unique recordings of body language. While these are designed to verify users’ identity, such personal data is now captured in cyberspace. By gaining these prized datasets, scammers could lure their victims in the virtual world by impersonating a friend and inviting them to hang out in a malicious virtual room, resulting in dire consequences.

In cases of stolen identity, separating legitimate users and bad actors will require highly sophisticated technology. For example, in ‘crypto influencer’ fraud, scammers impersonate influential people by hacking their social media accounts.

Criminals using stolen metaverse identities to conduct illicit activities may go undetected for some time, because cybersecurity experts will have to sieve through massive layers of data across a complex network of integrated systems.

CybersecAsia: How can such data-rich identities in the metaverse be authenticated quickly?

PP: While regulating the metaverse will take time to apply globally, identity verification is possible if

creators of the metaverse take a proactive approach in creating their own regulations to ensure the safety of users.

For example, one way to verify identities in the metaverse is multifactor authentication and know-your-customer requirements that mandate real-time verification of users’ biodata. 

CybersecAsia: What must metaverse stakeholders adopt to protect their security and privacy?

PP: Creators of the metaverse must look toward simple yet robust real-time identity and age verification solutions that ensure watertight security and privacy, without preceding the real needs of users and businesses. 

A valid government-issued ID and a ‘live’ selfie pairing serves as a powerful age-verification and fraud-prevention tool, especially as many minors and cybercriminals would not be able to use their own likeness in a real-time selfie when impersonating someone.

‘Liveness’ detection enables firms to determine every user’s physical presence behind an app. This kind of identity detection must have gone through rigorous testing—for example, the system must be able to discern identity-faking methods such as realistic masks, lifelike dolls, digital and paper photos, deepfakes and others)—to ensure that advanced spoofing attempts are intercepted. 

These checks ensure an airtight online age verification process without introducing excessive friction. Ultimately, the best solution should not hinder the online experience for users in the metaverse, allowing the platform to effectively balance security and convenience.

CybersecAsia: Surely, strict regulations can help preempt crimes and mischief?

PP: In the ever-evolving digital world there will always be environments that fall outside the ambit of regulators.

Metaverse-specific approaches to identity and age verification can lead to standards that vary greatly from one metaverse to another, which in turn can intensify complexities down the road. 

Ultimately, the world must first figure out how to facilitate and standardize security in the metaverse, so users can have peace of mind in a virtual 3D world.

CybersecAsia thanks Philipp for sharing his metaverse cybersecurity insights.