The job of chief information security officer involves a lot of worrying. A CISO has to anticipate all the ways hackers can target weak spots in a company's network or trick its employees and customers into handing over data. Doing this job in the crypto industry—which is an especially lucrative playground for hackers—would seem even more stressful, but Coinbase's CISO, Jeff Lunglhofer, doesn't see it that way.
I spoke with Lunglhofer on the sidelines at Consensus, and he told me crypto may involve unique technology—blockchains, smart contracts, and so on—but that the nature of his job has been the same through his decades-long career: Identify the people and places a hacker will target, and do his best to deny them the opportunity.
That doesn't mean he doesn't worry, and, right now, one of Lunglhofer's top concerns is the same one that has other security executives on edge: the rapid proliferation of deepfakes. There are already videos circulating that feature the voice and image of crypto CEOs like Coinbase's Brian Armstrong and Ripple's Brad Garlinghouse and promise to give away free tokens. Lunglhofer warns that giant platforms like YouTube—which aren't vigilant about policing crypto scams at the best of times—are likely to be slow to stop deepfakes since, on the surface, they look innocuous and don't contain illicit content like terrorism or nudity that the platforms make the most effort to detect.
Most alarming, Lunglhofer says, is that the quality of deepfakes is getting better every month, which will make them both more convincing and harder to detect. In response to this coming onslaught, and to the problem of scams in general, he has a recommendation that goes beyond staying vigilant: If you are moving money, slow down.
Lunglhofer laments that convenience is often the enemy of security and that, in both crypto and traditional finance, people embrace any tool that will let them move money faster. This has led to repeated situations where executives move millions of dollars with a swift click or two—a practice that is especially perilous in the crypto realm, where most transactions cannot be reversed.
This is why, for big transactions, Lunglhofer favors tools like vaults and multi-sig signing protocols that entail "cooling off" periods before money can move. For everyday transactions, he is a big fan of passkeys, which are a security feature offered by Apple, Google, and others that generate a security token on a person's device that can't be replicated or transferred. And not surprisingly, Lunglhofer warns consumers to avoid authentication based on SMS—a tool he says is easily compromised and that was never designed to be a security feature in the first place.
The bottom line is that setting up passkeys or adding other layers of security might take a minute of your time but, as cyber threats get scarier, the protection is more valuable than ever.
Jeff John Roberts
jeff.roberts@fortune.com
@jeffjohnroberts
