National digital currencies have passed from ideas and prototypes into reality. In addition to the Bahamas, China and Sweden, have been running digital currency pilots, and within a few years, we could see dozens of central banks issuing digital currencies.
Central bank digital currencies (CBDCs) differ from cryptocurrencies such as Bitcoin as national banks issue and back them. CBDCs rival stablecoins such as USDC because some stablecoins are also backed by fiat currency.
The biggest player in global national currency, the U.S. Federal Reserve Bank, has made no commitments to issuing a CBDC. But given the dollar’s importance, whatever decisions the Fed makes about the form a CBDC takes would have an enormous impact on global financial systems. There’s good reason for the Fed to be cautious, careful and deliberate about a digital dollar, especially since CBDCs pose significant challenges around privacy and security that may require new and novel technologies to overcome. In a panel with Appdome, Neha Narula from MIT’s Digital Currency Initiative and Jim Cunha, SVP of the Federal Reserve Bank of Boston
talked about the importance of mobile devices and apps to the future of payments:
“..There’s been research by the FDIC and the board of governors that talks about the number of unbanked people that have smart phones. And [the phones] are their computers, their TVs, everything. I think that the penetration into the unbanked or underbanked really allows the phone to be the access device … at the point of sale.. and an example of what retail could be… On the cybersecurity perspective, there are many issues from security that matter, whether it’s spamming or denial-of-services attacks, or foreign nation states trying to attack. “
CBDCs, Security and Fraud
To prevent becoming a target for criminal organizations and nation states, a CBDC platform must protect a user’s mobile data, the application that they’re using to manage their digital currency and the connection between the mobile application and backend server.
Because smartphones and banking apps will likely be a popular means for managing a consumer’s digital currency, these apps must be far more secure than the majority of mobile apps are today. CBDC apps must also preempt the many ways fraudsters abuse mobile apps, mobile operating systems and devices to carry out fraud. Some of the most widely known include click bots, mobile malware, using large scale virtualized environments to carry out credential stuffing, clickjacking, overlay attacks and banker trojans. What’s particularly harmful about these new challenges is that they take advantage of the way mobile apps work, weaponizing Android and iOS apps and abusing legitimate functionality of operating systems.
For example, once fraudsters have reverse engineered an app, they can create convincing trojans, which look and feel like the genuine app, but are, in fact, malware. They can also insert realistic overlays that look as if you’re performing normal functions in the app, but are in fact agreeing to give a malicious actor extensive permissions or information later used to illegally transfer funds.
There are technologies today that identify fraud. But identifying fraud after it happens means dealing with the damage after the fraud has been committed. After fraud has been done, the user and company have lost funds. The company or financial institution has suffered reputation loss. CBDC platforms need to be proactive and preempt fraud before it affects users or Central Banks.
Privacy and CBDCs
Related to security is privacy, another large concern. Some believe the more a technology protects privacy, the harder it is to stop illicit activity such as fraud. In reality, technologies can both protect privacy and address fraud.
CBDCs could help to change the way people manage their identities, including those that are currently underbanked or unbanked. In the United States, people use a driver’s license or social security number as proof of identity, neither of which is secure or universally held. As a result, we are unnecessarily sharing private information that, if leaked to the wrong people, could be used to steal our identities. LIkely, CBDCs will use techniques such as zero knowledge proofs for identification. These proofs use cryptographic methods so that one person can prove to another person that they know “x” without conveying any information apart from the fact that they know the value “x.”
Protecting privacy also requires a multi-layered defense against data leakage. This means CBDC apps will need to defend against malicious keyloggers and careless screen sharing. Keyloggers, mobile malware and infiltration of the mobile clipboard can lead to theft of confidential user data.
CBDCs have the potential to open up banking to a larger number of people because they enable people to participate in the economy without having a bank account. People have the freedom to be their own bank, either managing their own keys, keeping their funds in an app or a hardware wallet.
CBDC platforms and apps will need to leverage technology to protect user privacy, prevent fraud and defend users, data and systems from security attacks. Whatever the Fed decides to do, it’s clear that CBDCs are coming and will transform the world of payments. The fintech world would do well to pay close attention, as it will present big changes and big opportunities.