It exists only in an early form, but firms are already entering the metaverse space, with major banking and wealth management players including JPMorgan and Citigroup launching virtual buildings for users to visit and explore.
However, a myriad of security concerns have prevented significant progress in traditional banking transactions in the metaverse, with crypto heists still causing anxiety around the safe interoperability of private wealth.
What is the metaverse and what does it have to do with banking?
HSBC, a major investor in the sector, defines the metaverse as “a new virtual world where our physical and digital lives effortlessly converge to create a unified space where one can work, play, socialise, transact and interact”.
If these realities are ever to “effortlessly converge” in a true sense, then real-world wealth needs to be accessible, useable, and secure in both.
The metaverse has the potential to offer numerous opportunities for the banking sector, from new streams of revenues to easier fulfilment of ESG targets, particularly in relation to financial inclusion and demographics. However, emerging platforms are unavoidably exposed to risk as cyberattackers exploit vulnerabilities in new technology. Until customers can trust that their funds are adequately protected, traditional banking in the metaverse will remain a pipe dream.
Will the metaverse change banking?
The metaverse hasn’t taken off yet, with reports that Decentraland attracted only 38 active users on a single day in October 2022. It seems that the ‘move’ to the metaverse is still little more than a tentative step at this stage.
GlobalData’s recent sentiment polls revealed that 42% of respondents felt that the metaverse would cause no disruption, with only 23% saying that the theme’s disruption would be ‘significant’. However, the negative sentiment has not deterred banks from investing: 431 metaverse-related deals made in the sector between Q1 2017 and Q1 2023 .
Significantly, over half of these were venture financing deals, evidencing the infancy of the theme; there is clearly intentional investment into the technology’s growth, and the metaverse might be impactful for banking yet.
What are the risks of banking in the metaverse?
Private banks are particularly at risk in the move to the metaverse. GlobalData analyst, Suneet Muru, explained that the metaverse’s growth brings innate risk: “If people become more interested in the metaverse, they’re more likely to entrust the platforms with sensitive information, which will become exposed if those platforms are hacked… Security risks are especially true for wealth management companies who carry out extensive KYC checks on their clients, and therefore store lots of private details.”
Private banks hold exceptionally valuable personal data, often belonging to high-profile and wealthy individuals. Although they hold less data overall, it is likely to be of increased worth to a hacker.
Speaking to PBI Ali Qureshi, chief revenue officer and co-founder at SideDrawer, explained that sensitive data “is extremely valuable for bad actors in the space, because there is a market for an individual’s personally identifiable information which can be bought and sold on the dark web”.
This appeal has historically made email the most popular target for cybercriminals: a single click on a malicious link can expose dialogue between clients, wealth mangers and lawyers. 21,832 Business Email Compromise (BEC) scams were reported to the FBI in 2022, with adjusted losses over $2.7bn. As banking moves into the metaverse, so will a wealth of desirable data, and attacks will indubitably follow. It’s a relatively unregulated space, making the metaverse a wild west for scammers.
How have cybercriminals been attacking wealth in the metaverse?
There are three primary ways in which cybercriminals steal cryptocurrency: bridge attacks; wallet attacks; and DeFi vulnerabilities.
According to Chainanalysis, bridge attacks are the favoured method for digital thieves, accounting for 69% of stolen funds in 2022. Being blockchain-based, metaverse platforms are particularly vulnerable to these attacks. Cryptocurrency interoperability is facilitated by cross-chain bridges which connect blockchains; these bridges are less secure than the blockchains, allowing hackers to access funds.
The Ronin Bridge hack in 2022 remains the biggest recorded crypto heist. It occurred when the Lazarus Group gained access to five of the nine private keys held by transaction validators for Ronin’s Network’s cross-chain bridge. Axie Infinity, a popular play-to-earn blockchain game, had funds stolen to the value of $620 million from Ronin, it’s Ethereum-based blockchain. Only around $30 million of the stolen and laundered funds have been recovered.
Crypto wallets are also at risk of being hacked. Funds a secured by a key, held either by a third party (in a custodial wallet) or the user (in a non-custodial wallet). Hackers will try to access this key by installing malware that gives them the ability to harvest the key when the wallet is connected to a decentralised finance dApp during a transaction. With the key, cyberattackers have full access to the content of the wallet and can make malicious transactions.
AI poses a new threat for metaverse security, with studies already succeeding in jailbreaking LLMs such as Chat GPT. This could quickly become a slippery slope for cybersecurity.
“In the past, a bad actor would have to know how to do some sort of code development,” explained Qureshi: “These very free AI tools available to you – that are only getting more powerful – can write content that’s even more dangerous. Basically, you’ve just added a massive amount of gas to the fire.”
How will banks avoid being hacked?
According to GlobalData’s Job Analytics, banking and payments companies hired over 150,000 cybersecurity professionals during 2021 and 2022, the second highest of all sectors. The trend suggests that banks are aware of the risks, and cybersecurity remains a primary concern for the sector.
Blockchain security is still developing but cryptographic techniques are already crucial in preventing third parties accessing private data; by encrypting data using hash functions and blockchain asymmetric encryption, data is secure and immutable. Blockchain also uses a consensus mechanism to validate networks and support the immutability of completed transactions.
Identity theft in the metaverse
Banking security has long been threatened by identity theft, an issue complicated in the metaverse by the use of personalised avatars. A malicious party can log in to another user’s account, accessing their funds whilst donning a digital disguise. In this way, scammers might also target the original user’s acquaintances, conning them into transferring funds or sharing personal data under the guise of an avatar they believe to be their friend. Multi-factor authentication will be the obvious way to reduce this risk, but with little regulation around the metaverse currently, it is unclear exactly how this will manifest.
Failed start-up, ZELF, became a prime example of the importance of authenticated identity when its partner, Evolve, pulled the plug on the project on the day of its launch.
Speaking to Tech Round in February 2021, Elliot Goykhman, CEO of ZELF, had promised that: “simple tapping of menu buttons in one of these messengers is sufficient to issue a Mastercard or Visa virtual card just in 30 seconds. You don’t need to scan any documents and upload selfies with a passport to start – perfect for those who don’t have an ID handy, not in perfect lighting conditions or whatever other reason behind it.”
With no KYC checks, the bank was immediately vulnerable to bad actors, and Evolve swiftly closed down the operation.
How will banks enter the metaverse?
Tentative moves into the metaverse have been successful, although traditional, transactional banking is not a reality yet. Qureshi considered how this style of banking might come about: “I’m sure some banks are exploring how best to offer this opportunity in a safe way to their clients. It’s likely just a matter of time and market interest for them. I suspect they’ll need to ensure that the players who are providing this service comply to their due diligence and security requirements.”
Crypto wallets will be an area of growth for wealth managers and private banks, offering a new stream of revenue.
Speaking on how banks should consider security in the area, Muru explained that “if wealth managers decide to offer custodial metaverse wallets, they will need to ensure they have robust internal measures to protect users’ funds, but this is exceptionally difficult when the crypto space is still emerging, and the technological foundations are still under design. If they offer non-custodial wallets, they need to ensure that they educate customers on the measures they should take to protect their funds themselves, but again, there’s only so much you can do when there’s so many exploits”.
As of now, several banks have already ‘built’ in the metaverse: Citigroup has opened a digital twin of its Global Wealth Centre, whilst Deutsche Bank has launched ‘Wandel’, a virtual campus and private enterprise metaverse for employees. HSBC, JP Morgan & Chase, and DBS have also entered the metaverse in this way, amongst others