Take advice from the security experts at CertiK on how crypto projects can protect from insider threats of all kinds! Let’s dive in!
Not all threats come from external sources. Some of the most devastating can come from inside a project team, from a trusted member of the group. A vital element in reducing the risk of insider threats in crypto projects is to thoroughly vet new team members. However, many people skip this essential step due to the perceived complexity or daunting nature of the process. In this article, our former law enforcement investigators give you simple, practical advice on how to conduct the kind of background checks that will help guarantee the security of your Web3 project or investment.
Why Vet Team Members?
According to a Harvard report on what makes a successful startup team, recruiting the right people is a key determinant, and data suggests that 60% of new ventures fail due to issues with the team. The composition of a team factors into the success of Web3 projects, but it is also critical for their integrity and security. Busy entrepreneurs can easily overlook that security issues can arise not only from a code vulnerability or an external attacker, but also from an insider threat – a person who uses their authorized access or insider understanding to harm their own organization.
Founding a project with co-founders or developers without a formal vetting process increases exposure to the risk of insider threats, which can lead to disastrous consequences, such as a rogue team member causing an incident, illicitly modifying the code, misusing proprietary information or stealing project funds. For instance, in the Wonderland project, the CFO “Sifu” was allegedly hiding the fact that he had been convicted for financial crimes under the name Omar Dhanani, and had previously co-founded the QuadrigaCX 133 million USD scam under the name Michael Patryn. Blockparty’s former CTO Rikesh Thapa was indicted for allegedly stealing the equivalent of 1 million USD from the project’s treasury. Although it may be tempting to ignore the background of a highly-skilled or well-funded partner, a negligent hiring or partnership decision can be highly damaging for a project, its users, and its investors.
“Rikesh Thapa allegedly betrayed his company’s trust, as he was responsible for the safeguarding of substantial amounts of money. Thapa went to great lengths to cover up his frauds, but, thanks to the dedicated work of this Office and our law enforcement partners, he will now have to answer for his crimes.”– U.S. Attorney Damian Williams
There are a multitude of benefits to conducting thorough background verification processes on anyone wishing to join your project’s team. To start, verifying a candidate’s identity and background history is an excellent deterrent for malicious partners, as most will target weaker enterprises that do not bother with such verifications. Secondly, identifying potential risks prior to hiring someone provides an opportunity to disqualify high-risk individuals. Third, if you do decide to proceed with a high-risk individual, this knowledge allows you to take steps to mitigate their risk, such as limiting their involvement in certain aspects of a project or restricting the access levels based on their identified risk level. This goes hand in hand with addressing the risk of Privileged Access Management (PAM).
Once a contributor’s identity and personal details are formally verified, they will likely feel more accountable, thus further mitigating the insider risk. Finally, if an insider still commits a crime despite all of the risk mitigation measures taken, having proper due diligence records will greatly facilitate the future investigation and prosecution of the perpetrator. In the next paragraphs, our former law enforcement criminal investigators cover step by step how to properly verify a partner or a contributor.
How to Vet a Web3 Developer
Don’t be fooled by conventional “background checks”. When people say they do a “background check”, “criminal record check”, “vetting”, “screening”, or “clearance”, it generally means they ask for a name or an ID and check the provided name in a criminal & credit record database. It is quick and cheap – typically costing about US$2 per lookup, and while the lingo sounds reassuring to the non-specialist, it actually creates a misleading and false sense of security. A database lookup is relatively easy for a malicious operator to bypass. For example, the individual can use an alias, a fake name, a fake ID, someone else’s ID, or ask someone else to be a front person acting on his behalf. Secondly, even with the correct identity, criminal record databases are limited in scope and not necessarily up-to-date. Many fraudsters commit crimes using aliases, many frauds are never prosecuted thus not recorded, and even clean criminal records are not necessarily a predictor of future behavior. A database lookup is useful, but is only one step of the true background investigation process.
Set up a clear, transparent, and fair verification process. Clearly disclosing your security requirements and strict background verification process serves several purposes. Not only is a disclaimer and a waiver best practice for fairness and compliance, it can also deter malicious actors, while proving to honest potential partners that the project has the highest security standards. This practice can constitute in itself a very efficient security briefing, and establishes a deep security culture from the start. The verification process must be the same for everyone: equitable, relevant, non-discriminatory, and respectful of the person and their privacy. The evaluation and decision process must be documented, objective, based only on relevant findings, and offer an appeal process. If the due diligence findings and risk assessment are used to deny an employment, consult a human resource specialist in order to ensure your hiring process complies with local recruitment laws.
Ask for information and documents. The first thing to do is to ask the prospective contributor to sign a disclaimer and waiver for the background investigation, and submit a resume, an ID, a copy of diplomas, and a security questionnaire with his/her personal information (name, address, contact details, etc). It is not advisable nor necessary to ask for any sensitive information like a credit card number or social security number, which are not needed for the verification process.
Review the open-source information. Here are a series of tools that can help review the available open-source info and detect derogatory information (criminal activities, fraud, scams, etc), along with unusual or suspicious behavior. These tools will also be helpful in the next steps, when looking for discrepancies (signs of deceptive tactics, hidden information), and conducting verifications (revealing false information and false statements).
Do a security interview. A face to face background interview makes it a lot harder to bypass the verification process, and a lot easier to detect issues. The interviewer can ask the applicant to describe their current activity and previous history, ask for precise, verifiable references, and clarify missing or unclear information. Look for risk signals, for example if the applicant is elusive about a specific question or topic. Look for discrepancies, for example if two statements do not add up, or if a statement is inconsistent with the information you already have. Such a security interview is always non-accusatory. The objective is not to accuse or force the person to tell the truth, but only to collect information and do a risk assessment. Any red flag, unusual answers, inconsistencies and discrepancies are useful information for the later verifications and risk assessment.
Compare/Verify. This step is not about finding new information, but about verifying that the information you have can be corroborated. It is neither realistic nor necessary to verify the accuracy of every bit of information about the applicant’s life, but it is essential to verify a number of claims and references. It’s important that the investigator selects the sample to be verified, not the applicant. Typically, the investigator will carefully verify and corroborate a selection of claims from the documents and statements provided by the applicant. This would include: full name, aliases, place and date of birth, address, current activities and associations, past education, employment dates and roles, portfolio of previous projects, certifications, career timeline, and every relevant claim that can be efficiently confirmed or infirmed. This verification step is vital to the quality of the process, and is the core difference between a simple check and a true investigation.
Look for discrepancies. This step is not about finding or verifying information, but rather about evaluating the consistency of the dataset by measuring the number of discrepancies. Discrepancies are unexplained differences between two pieces of information. They are a powerful yet very efficient way to detect deceptive and fraudulent behavior, and missing or hidden information. When an applicant conceals something, it generates multiple discrepancies between the different pieces of background information. Discrepancies can be between two statements, or between two documents, or between a statement and the open source information, etc. For example, if someone says they have lots of experience in X, but are not able to provide precise information about these previous experiences, it is a concerning discrepancy that indicates a high risk of false experience claims, or hidden suspicious past activity.
Ask for additional information. If something is very unusual, or does not make sense, one way to evaluate the finding is to ask for additional information. If the applicant fails to provide adequate information, it confirms the concern, and if the applicant is able to provide valid, verifiable information, it mitigates the concern.
Do a risk assessment. For the final risk assessment, the list of identified red flags, risk signals, and discrepancies needs to be weighed. Their weight is increased if the context brings an aggravating circumstance, or reduced if there is a mitigating circumstance (e.g. logical explanation, guarantee). In the context of remote collaboration and partnerships, the base country of the applicant can also be accounted for in the risk assessment. You can verify if the country has a higher risk of fraud (e.g. the CPI Score), or a reduced capacity to make criminals accountable (e.g. FATF List, and WJP Index), as well as the country’s judicial cooperation in place (extradition treaties, extradition rates). Finally, the amount of verified information, and the length of time since you have known the applicant, can act as mitigators. The weighted risk, mitigated by the information and time factor, provides you with an objective, fact-based evaluation of their risk vs trustworthiness.
Challenges of Vetting Candidates in Web3
Vetting partners and developers is a powerful way to raise the security of a project, but applying this high-level security principle to the blockchain industry can be challenging for numerous reasons. Cryptography specialists value their privacy, and in some cases are even exposed to local government threats. In this sensitive context, conducting thorough, in-depth due diligence, detecting hidden risk signals, and objectively assessing individual risk can be complex and time-consuming for entrepreneurs. This is why many organizations choose to rely solely on a superficial “background check”, which does not verify that the person is who they claim to be, nor detect hidden activities and malicious intent.
Using a third party security auditor to conduct these background investigations can facilitate the effectiveness and efficiency of the security measure. A third-party investigation specialist will be able to keep the applicant’s personal information private, even to the recruiter, and will also be more legitimate in the eye of the applicant. A specialist with training, experience in criminal and background investigations, and with a rigorous process and an optimized set of fraud signals will be more effective at detecting risk than a recruiter, and more efficient at conducting the background investigation and assessment. CertiK’s team of professional investigators come from a variety of intelligence and law enforcement backgrounds. In addition to leveraging a comprehensive background investigation and risk assessment process, CertiK maintains a proprietary dataset of repeat Web3 fraudsters and tailored risk signals that facilitate fraud detection. Web3 projects which are committed to reduce their exposure to the risk of insider threats, offering the highest level of security and transparency to both their community and their fellow team members can get in touch to learn more here.
(This submission is a guest post to BSC News.)
What is Certik:
Certik is a blockchain security firm that helps projects identify and eliminate security vulnerabilities in blockchains, smart contracts, and Web3 applications using its services, products, and cybersecurity techniques.