Avoiding fraud in the metaverse is a new problem – and a business opportunity. For IRL, Josie Adams chats to the guys checking digital IDs.
Imagine you’re standing in your digital house, with your digital wife. But this is not your digital wife – this is a scam artist trying to glean your passwords. Tomorrow you’ll log on, and all the NFTs you own will be gone, never to be seen again or reimbursed. On the internet, no one can see you cry.
Cyber crime already costs the globe trillions of normal dollars per year, and our new-fangled crypto-money is ripe for scamming, too: cryptocurrency theft rose 516% between 2020 and 2021, hitting NZ$4.5 billion worth. Most metaverses will operate using blockchain technology; the same technology cryptocurrency runs on. As more of us begin to enter the metaverse, the opportunities for scammers increase. How do you prove you own your beautiful digital house? How do you show that’s not your digital wife? As more of us begin to adopt virtual identities, will these identities become a security concern? And is anyone out there checking ID?
At the moment, metaverses don’t require conventional ID. All you need is a wallet address, ie your crypto identity. Your wallet is protected by a series of passwords, which only you should know. This is basically your profile on the blockchain. You use this address to log in to websites, send and receive funds, and even sign contracts.
But as the metaverse becomes more mainstream, this could change. James Brown has one eye on the future of security. He’s the director of global partnerships at APLYiD, an Auckland-based company that could become known as the RealMe of the metaverse. Brown’s been working in the financial technology space for a while, and is something of a futurist – to him, the budding metaverse could be a fraudster’s playground.
I’m talking to Bown via Zoom when he pauses. “You can see me, but are you absolutely convinced that actually I am real?” he asks. “I could just be a very clever avatar.”
The technology APLYiD uses to verify someone’s identity is cutting-edge in terms of both biometrics and privacy. You take a video of yourself, send it in, and as soon as you get the green light it’s deleted. “We have always taken the stand that we don’t hold data,” says Brown. “That data is wiped completely from our system. The process is basically 90 seconds.”
The video needs to be taken on a mobile phone, because laptops are easier to manipulate. It also needs to take in very specific parts of your face; this is not your regular selfie. “Everybody’s taken a selfie at some point,” explains Brown. “I can jump on your Facebook page right now, take a screengrab of your face, jump in a Westpac thing and go through the process. And if their system isn’t sophisticated enough, probably get through.”
Taking a video makes it harder to fake, and APLYiD is looking for specific reference points that you could only change with intense plastic surgery. Things like your philtrum and the distance between your eyes will stay the same, says Brown, regardless of age or weight fluctuation. “We take 180 different reference points.”
As metaverses get better graphics and more of us start to use them, our avatars could start to resemble our APLYiD videos – our real world identities, not metaverse identities. We’ll go shopping in Cryptovoxels, and buy real estate in Decentraland. But what if we want to take out a loan for that real estate?
Brown says this is where the risk comes in. “I come along and pretend to be, I don’t know, ASB Bank. And I say, ‘Hey, just need your password just to verify you.’ And you go, ‘Oh cool, you’re the bank, there you go.’” Next minute, your account balance is zero.
This kind of scenario is why Brown sees a need for traditional banks to adapt to new technology, and APLYiD can smooth the process. “If we are able to really identify who we are, that interoperability becomes relatively easy,” he says. “With the introduction of things like neobanks, it makes it a little bit more challenging for [traditional banks] so they have to step up their game.”
The underpinning philosophy of metaverse technology is about freedom from central institutions: big banks, big government, and big social media. But with Zuckerburg launching Meta, El Salvador using bitcoin as an official currency, and big financial firms like PricewaterhouseCoopers investing in Decentraland, that dream could be dying before it’s even begun to flourish. Metaverses may start to become more like social media, just by nature of widespread adoption. If this happens, our virtual identities and real identities may need to merge.
“There has to be this linkage at some point between the one and the other,” says Brown. “Most people would argue that actually running one life is hard enough, rather than trying to run two.”
Ben Nolan, founder of Wellington-based metaverse Cryptovoxels, isn’t convinced the current state of affairs requires real-world identity verification. Cryptovoxels only requires your cryptocurrency wallet address. “We don’t do anything with real world identity at the moment,” he says. “It’s about virtual identity.”
He says your wallet address is sufficient for him to assess your trustworthiness. “It’s not about being anonymous – it’s really that metaverse identity rather than that real-world identity. I would never trust someone who came up to me with a wallet I didn’t recognise and said, ‘Hey, I’m Dave from down the road’. That would be an instant way to lose your money.”
Nolan’s vision for Cryptovoxels is a world where we can go shopping and explore art galleries. “I don’t particularly want to build a metaverse to live in,” he says. He wants his users to stop in for a little art tour before heading out to the next stop. “You meet up with each other and then go off to the elephant-riding metaverse or the paintball metaverse.”
While he’s not stressed out about identity fraud at the moment, he acknowledges scammers – particularly in the NFT-heavy world of art – are growing in number. “The wider NFT scene is extremely risky,” he says. “I personally don’t go deep into it because I find it hard to judge what’s authentic and what isn’t.”
For now, the best piece of advice he can offer is to never give up the passwords for your wallet. “Never enter it into a computer, never send it in an email,” says Nolan. You should write it down in a locked diary, on the back of your birth certificate – somewhere no-one else could ever see it.
“There’s no recourse [if you’re scammed],” he says. “It’s a very brutal, Mad Max world.”
Have you been scammed in the metaverse, or on the regular old internet? Did you meet the love of your life in a strange way online? Got a cool internet job? IRL is keen to tell your stories: get in touch at firstname.lastname@example.org.