An employee wearing HTC’s Vive virtual reality headset plays a video game at the T.UM showroom in the SK Telecom Co. headquarters in Seoul, South Korea, on June 11, 2021.
SeongJoon Cho | Bloomberg | Getty Images
Imagine discussing a confidential multimillion-dollar deal with your boss. The conversation ends, and you both leave.
A while later, you both meet again and you bring up your earlier conversation — but your boss has absolutely no recollection of the deal.
What just happened?
In the metaverse, this might mean you were the victim of a hacked avatar or deepfake, said Prabhu Ram, head of the industry intelligence group at CyberMedia Research, a research and consulting firm. Deepfakes refer to manipulated digital figures that look or sound like someone else.
The metaverse has drawn hype in recent months, with companies like Meta, formerly known as Facebook, and Ralph Lauren, rushing to get their foot in the door. But unless cybersecurity risks in the metaverse are addressed, these companies may not see the success they’re hoping for.
Cybercrime in the real world is already becoming more rampant.
Cybersecurity firm Check Point reported a 50% increase in overall attacks per week on corporate networks in 2021 compared to a year earlier. As businesses rush to plant their flag in the metaverse, not all may realize the full dangers of this new world, said Ram.
“Since the contours and potential of metaverse are yet to be fully realized, the overt concerns around privacy and security issues in the metaverse remain confined to only a few ‘tech-aware’ companies,” Ram said.
“As new attack vectors emerge, they will require a fundamental realignment of today’s security paradigms to identify, verify and secure the metaverse,” he added.
Identity security
JPMorgan released a white paper in February which recognized user identification and privacy safeguards as important elements for interacting and transacting in the metaverse.
“Verifiable credentials [should be] easily structured to enable easier identification of fellow community or team members, or to enable configurable access to varying virtual world locations and experiences,” according to the white paper.
Gary Gardiner, who is head of security engineering for Asia-Pacific and Japan at Check Point Software Technologies, agreed.
The same mindset for internet security needs to be applied to the metaverse, he said, adding that security protocols should be as user-interactive as possible.
People are looking at blockchain to identify users, or “using tokens that could be assigned by an organization, or biometrics in a headset you’re wearing so there’s that level of trust so you actually know who you’re talking to,” he said.
Gardiner also suggested having “little exclamation marks” above avatars’ heads to signal that a person is untrustworthy.
Data breaches
As users leave trails of data around the metaverse, one major problem in the real world may also cross into the virtual reality world — the invasion of user privacy by tech companies.
The 2018 Facebook and Cambridge Analytica scandal, for example, saw millions of users’ data harvested and used without consent. In the metaverse, there may be even more data available for these companies to feed on if strict regulations are not put in place to protect users.
When users are wearing devices like virtual reality headsets, organizations can collect data such as their head and eye movement or their voice, said Philip Rosedale, founder of Second Life, an online world that allows people to hang out, eat and shop virtually.
“Meaning within a few seconds, we can identify it is you exactly wearing the device. This is a very serious potential privacy problem for the virtual world,” he said.
What can be done
Microsoft co-founder Bill Gates predicted in a blog post in December that within the next two to three years, most virtual meetings will move to the metaverse.
For businesses to safely operate in the metaverse, Gardiner said, it’s important to train staff well.
“The weakest point in any organization from a cybersecurity perspective is the user,” he explained.
The foundation [of the metaverse] has to be done well because if the foundation is weak and it’s not done well, people will lose confidence in the platform and we’ll stop using it.
Gary Gardiner
Check Point Software Technologies
If an attack hits the metaverse, users will be in a stronger position if they have that level of training and understanding of what is suspicious, he said.
While companies should implement risk mitigation strategies, both Rosedale and Gardiner said that maintaining privacy ultimately depends on the type of security platforms and safety models the metaverse puts in place for organizations.
Citing LinkedIn, a professional networking site, as an example, Rosedale said users will need to be able to use a “web of trust” to exchange information with others to establish trust more easily.
Identifying people you trust and sharing that information with other trusted people will allow you to assess whether you have friends in common with someone new, he added.
Meanwhile, Gardiner said companies involved in designing the metaverse will have to work together to establish a common standard that will enable security protocols to be deployed effectively.
“The foundation [of the metaverse] has to be done well because if the foundation is weak and it’s not done well, people will lose confidence in the platform and we’ll stop using it,” Gardiner said.