From the Winter 2023 Issue

A Wrinkle in Metaverse

Carmen Marsh
President and CEO | United Cybersecurity Alliance

The metaverse is the latest and coolest technology designed to let us experience things in the virtual world, using Virtual Reality and Augmented Reality (AR/VR) tools. However, it also presents us with a plethora of security challenges. Is this modern technology creating a “wrinkle” for bad actors to access our “Meta” world and exploit it?

Is this modern technology creating a “wrinkle” for bad actors to access our “Meta” world and exploit it?

The Metaverse is being created to give us an amazing alternative to our physical world, but without many of the real-world limitations. This new platform is truly taking the digital transformation to a whole new level, making the ways we work, learn, play, and socialize, brand new.

Many of us have already learned that, like with most things, the good also comes with some “bad”. It can be truly exciting to exist in a world of no limitations, but it can’t be all good, right? As it stands now, we are already aware of several security and safety challenges, but there is a lot more that we have yet to identify.

We now have a chance to prepare for the worst by looking beyond the basics while this alternate universe is gaining more popularity and new worlds are being created every day.

Is It Really You?

The Metaverse is designed to function with the use of digital avatars each user creates for themselves. Basically, after we create our avatar, it should be unique and secure. With our Personal Identifiable Information (PII) secured we should be able safely do what we usually do in the physical world, such as shopping and working without worrying about someone stealing our information.

But what if your avatar could become a pathway for bad actors to get to your data containing financial accounts, health info and other sensitive information?  Like with any new technology, the Metaverse will open the opportunities for cybercriminals to steal our identity in order to get access to our entire life. Gaining that access can also enable them to ruin our relationships with people at all levels.

To make things worse, bad actors often choose to represent themselves in the digital space using the “deepfake”. This type of identity hijacking can put our “Metaverse” personality in the worst kind of trouble, including triggering the digital and physical security risks.

Digital Currency

We know each Metaverse will have its own type of currency/cryptocurrency, the most common being ETH (Ethereum) and several other types of Non-Fungible Tokens (NFTs). As of now the value of digital currencies and NTFs can rise and lower while stored, but the initial purchase is always made through our standard currency. Currency frauds are already occurring in the Metaverse; however, that is just the beginning.


Could the risk of biometric hacking be counted as a potential cybersecurity threat in the Metaverse? It absolutely could!

As a Metaverse user you will be required to wear a VR headset including some other VR/AR technologies, like haptic gloves, and others which can then be used for biometric identification through iris scanning.

Hackers’ access to these biometrics could possibly allow them to gain access to private information about people’s medical data and other sensitive information.

Let’s Get Physical!

It is not only the digital safety we should be concerned about in the metaverse. Our physical safety can be at risk as well. If a bad actor gains access to our Metaverse account, they could easily manipulate our environment in ways that threaten our physical safety. While being hacked, people moving in the metaverse can easily be re-routed to a different path, off the walkway, and into danger.

The cybersecurity threats of the Metaverse are very real. It is the obligation of the technology makers, as well as government, corporations and all of us to take this seriously, and implement effective safeguards against all risks.

How do we protect ourselves against data hacks, scams and malware invasions and still enjoy the Metaverse, knowing that it will house quite a big collection of sensitive data?  And what about privacy?

Block on Block We Build A Chain…

For years we have seen experts debate whether it is secure to use blockchain technology to build new software. This technology is predominantly secure, but certainly not immune to cyber threats.  One of the issues is that it is decentralized, which means it doesn’t have a designated admin for oversight and management. With this setup it means it will be impossible to retrieve anything that has been stolen.

Little Red Avatar and a Big Bad Cybercriminal

Since the Metaverse will operate through avatars, there will be no concrete method to identify cybercriminals. It will be easy to duplicate the digital landscape, possibly over the dark web.

Knowing the Metaverse will bring on tons of security issues we must think and implement very robust cybersecurity measures and strict governance policies.

Three Little Avatars and Other Stories

What can three little avatars do to be safe from the big bad cybercriminal?

As a starter we can only hope that the security is being part of the overall development of the Metaverse software architecture. As we bridge the physical world with digital in such new ways we must lay down some ground rules, secure concepts with privacy in the forefront. The list is certainly long, but let’s name a few:

  • Strong endpoint security through VPNs, proxies, and antimalware software and other cyber threats.
  • Continue raising awareness about social engineering and phishing attacks.
  • Implement threat hunting, penetration testing, and vulnerability scans to ensure their security systems are safe, secure and uncompromising.
  • Write and enforce the book of law/rights or a playbook to define what is allowed and what not, in the Metaverse.
  • Enforce data accountability and data protection responsibilities.
  • Create a rating mechanism for age-appropriate access and use.
  • Set up malware protection.
  • Ensure and sustain audit capabilities.
  • Reinforce identity and validation standards.

A Brand-New World

Since the start of the Internet our universal horizon has widened to the point where freedom to collaborate, share and learn has brought the world to our fingertips. And now with the existence of the Metaverse we are ready to create new worlds and universes where everyone can be part of it simultaneously regardless of geo location. However, we must draw from our experience from lessons learned before we go too far in building the virtual worlds.

We must always keep security and safety at the forefront. Security and privacy play a big role in building a trustworthy world where we can trust that the person we are talking to really is who they say they are. We must find a way to implement profile validation. If Metaverse is built using the blockchain technology, then we need a very good solution or mechanism to enable identity verification. Perhaps one of the better ways could be the implementation of biometric identification such as fingerprints or facial recognition.

One thing we can be sure of is that the Metaverse will soon become the new attack surface despite our best efforts. Strong passwords, firewalls, MFA, threat detection tools and more will not suffice. We will need advanced anomalies detection abilities and ways to encrypt data in rest or transit. We will need to step up in our efforts to increase the cybersecurity awareness across all ages or people we expect will participate in Metaverse.

There must be a right balance of security, policies and overall safety that will not hinder us from experiencing the Metaverse as it was designed for, with freedom of speech, being able to get information and make exchanges, yet with privacy and security at the forefront. After all, the Metaverse may be what the future will look like for us in a brand-new world with no limitations. lock

Carmen Marsh

Leave a Comment