The worldโs now demanding instant transfers, and the people who built the crypto rails were all about getting things done in a hurry. They wanted to move fast. Speed, however, has its dark side as well, as one analyst succinctly described it: โspeed and risk go hand in glove.โ Well, yes, fast payments do come with some big advantages – real-time settlement and availability 24/7, for instance, but itโs also made it a prime target for try-hard hackers because of how instant it all is.
To be completely honest, this means that crooks and nation-states have only a few seconds to try and find a weakness before the transaction is finalised with no going back and no easy way to unwind in crypto. So, the CISOs have a tough job; they need to design extra layers of security from the get-go. The burning question on everyoneโs lips is: how can top security teams get instant crypto payments without putting their customers at risk in the process? In the next bit, we take a look at how high security teams can make super quick and safe crypto payments.
Growing Institutional and Consumer Demand for Crypto Payments
Consumers and Businesses finally get the crypto-friendly payment options theyโve been screaming out for, and even the big players are starting to listen, finally! Names like Visa and Mastercard have been rolling out crypto checkouts for a while now, just to name a couple, PayPal and Square, and even some rather old-school banks are starting to dip their toe in the world of digital assets. You can see this in all the surveys; theyโre screaming out for tens of millions of consumers to be able to pay in Bitcoin, or other coins, but now theyโre starting to get the answer theyโve been crying out for. At the same time, dozens of central banks are starting to get interested in digital settlements and throwing money at getting up to speed as quickly as they can.
Some of the larger fintech companies have launched their own dollar-backed tokens that do the whole instant transfer thingy, if you know what I mean. A case in point, PayPal have launched its own stablecoin, PYUSD, back in 2023, which, as the name suggests, is backed 100% by the good old regular US Dollar, cash equivalent, which can be exchanged 1 to 1 with the real deal. Their CEO, Dan Schulman, has been very vocal on exactly how they do things, which has been to follow the rules and innovate sensibly, which has been part of the DNA of the company since day one.
Itโs the same story with Visa, which is actually starting to blockchain tech so they can make things faster with rail settlements using Circleโs USDC token as part of the deal. This way, banks can actually some pretty cool, faster, and programmable options for settlement without needing to think about security, compliance, or reliability, all the things that the old systems need. All of these moves by the industry basically point to the fact that instant and secure payments can actually be done, when safety is put 1st from the word go.
The Expanding Threat Landscape in Real-Time Crypto
The crypto landscape is still in a constant state of upheaval. Real-time transactions leave little to no room for catching out would-be fraudsters, so they just bide their time and look for a moment to strike when the timing is right. Chainalysis reported a shocking $1.7 billion got swiped from crypto platforms last year, a pretty impressive number considering overall theft only dipped by a fair 54% compared to the year before. Meanwhile, high-profile hacks kept coming: a DeFi loan platform got creamed for a whopping $197 million in just one flash loan attack, and some of the biggest centralised exchanges out there – think Poloniex and CoinEx – lost out tens of millions in hacks.
Security specialist Mar Gimenez-Aguilar from Halborn warns that the trend of increasingly frequent and more serious attacks within the DeFi space is pretty scary. To put it bluntly, the bad guys are always trying to come up with new ways to scam in the DeFi world – and they tend to go after the chains that are most popular and liquid. At the same time, conventional bank-style scams are getting a whole new lease on life because those instant transaction rails are an absolute target-rich environment for push payment scams, account takeovers and business email compromise.
One training course for the people who manage fraud on the new US Federal service FedNow even lists credit push fraud, app scams and account takeover as some of the key threats they need to keep an eye out for. And because crypto makes it so ridiculously easy to stay anonymous, people with money to launder are finding new and devious ways to do it without getting caught.
According to Group-IB, more than $40 billion in crypto was laundered last year via mixers and dark web services – a staggering amount that can very easily slip through the cracks of traditional anti-money laundering screening. These kinds of examples only serve to drive home the point that when we move money at the speed of light, we’re bound to attract a whole new wave of scams and the old-fashioned financial crime – and we’re unlikely to have the same kind of safety nets that we get to rely on in traditional banking systems that get to process big batches of money in a nice orderly fashion.
Embedding Security into Payment Architecture
To keep these threats at bay, CISOs need to make security a fundamental part of how their payment systems work, not just something tacked on as an afterthought. Time and again, surveys and policy briefs say the same thing: heed the call to line up with well-established frameworks – like ISO/IEC 27002, the NIST Cybersecurity Framework or the BIS Principles for Financial Market Infrastructures, which are mentioned over and over in these documents. Just think about it – modern payment systems are now maturing rapidly and they’re incorporating some of the really sophisticated anti-fraud mechanisms, as well as real-time analytics that have upped the game.
The FedNow training guidelines couldn’t be clearer: institutions need to be doing some pretty serious real-time monitoring, giving each transaction a grade, and basically cancelling any transfers that just don’t seem right. And that’s only just the beginning: in fact, you should be able to cancel a transaction if you see something amiss before it even happens, like blocking payments to shady accounts or holding up transactions that seem off.
Cryptocurrency payment processors are on similar ground; they vet the people they work with against lists of folks who’ve been causing trouble, run their transactions through sanctions lists and only work with people once they’ve double-checked to make sure they aren’t trouble. They also link each transaction to some extra data (basically the public wallet addresses of the people they’re working with) to help them spot anomalies in the numbers – and to do it all with zero impact on user privacy. And all the way at the end of all this process, every single blockchain transaction needs to go through the same anti-money laundering/fraud filters that your regular fiat payment systems use, and if it raises any red flags, it shouldn’t do the instant settlement thing.
Advanced Cryptographic and Operational Safeguards
Critical to protecting those payments is continuous threat assessment and testing of your system’s resilience. Basically, you need to be thinking all the time about what an attacker could do to bring down your payment chain, which could be anything from stolen keys to protocol bugs and fix any weak spots before they get compromised. A good design will also help by spreading the trust around your system out to different parts of it, so that if one thing goes wrong, the whole thing doesn’t come crashing down. For instance, a lot of exchanges and custodians keep most of their cash offline in cold storage, only bringing out tiny ‘hot wallets’ for everyday transactions.
It’s pretty standard practice these days to use multi-signature wallets and hardware security modules (HSMs) too, which means one person (or even one server) can’t accidentally make a big transfer happen. And out in the forefront of the industry, you’re also seeing new cutting-edge techniques get used. For example, people are using the key “sharding” to break up a user’s private key into bits and storing those bits on separate systems, so that no one system has the whole key stored on it, and also multi-party computation (MPC), which does much the same thing.
One crypto expert says that this can make the user’s key ‘completely invisible to would-be fraudsters,’ which is a pretty great achievement. Another thing to think about is using audit trails that can never be changed, so if someone tries to mess with the system, they can leave a trail that makes it easy to spot. Some teams go as far as hashing the transaction logs into the blockchain, making a tamper-proof record.
Meanwhile, on the policy side of things, you’ve got to be doing regular security checks, penetration testing and now and then run a ‘tabletop drill’, you know, a practice run without any real consequences. It also helps a lot to work closely with regulators and other people in your field, so you can stay on top of what the current threats are and swap any useful information you’ve got with each other. Of course, you also have to keep an eye on those third-party vendors you are using (think cloud platforms and API providers) for instant payments. It’s a good idea to do some risk assessments and have the security clauses in your contract pretty tightly written in.
Traditional Financial Infrastructure Adapts
In the real world, a whole bunch of those massive financial companies are taking a long, hard look at their business models, trying to figure out how they fit in with this whole new crypto landscape that’s come about. Banks and banking networks are actively trying to work out ways to combine the speed of cashless transactions with the solid security that people expect from banking. Take SWIFT, for example.
This has been the backbone of international bank transfers for years, but last year they made a pretty significant announcement: they’re junking their old system and switching to blockchain based ledger that they cobbled together with some of the biggest banks in the world. Swiftโs CEO has made it clear what they’re after: a way to merge a shared ledger with their messaging system so they can get all the checks and balances right from the start. This way, they can still keep that same level of trust and security people expect, but it’s all going to happen in real-time, 24/7 cross-border bank transfers that actually work for a change
We see the same kind of thing happening with Visa’s pilot program and Circle’s stablecoin, USDC. They’re showing that a super speedy crypto payment system can just seamlessly slot on top of the normal way of doing business, with banks using the stablecoin to settle Visa transactions on a blockchain – instant settlement periods, improved liquidity management and all the automated treasury flows that come with that, all while Visa still gets to keep its super high standards for security and compliance.
And then there’s PayPalโs PYUSD project, which basically took an ERC-20 token on the Ethereum blockchain but had Paxos, that NYDFS-licensed firm keeping an eye on things to make sure everything stays legit. Each of these examples shows what we mean by “innovating with integrity”. Speed and trust go hand in hand.
Conclusion
Instant crypto payments are transforming the finance landscape, but speed has a big warning sign attached to it: security can’t be ditched in the pursuit of it. If you’re dealing with serious players with big pockets or you’re in one of those roles where you’re constantly dealing with regulators (and let’s be real, if you’re in the crypto space, that’s probably you at some point), then you’ll want to make sure that new systems are built with security top of mind from day one.
Which means you need to get those key bits to work together: governance, architecture, and keeping a close eye on all the usual sources of trouble, like keeping those crypto keys safe, making sure your users are properly verified, and that you’ve got real-time fraud protection in place, all while still getting the money moving super fast. And on top of all that, you’ve got to stay on top of the compliance requirements.
On top of that, as the bad guys keep evolving and coming up with new ways to attack, you need to be constantly updating your threat models so you don’t get caught off guard. And that’s what a growing number of experts are saying: when it comes to moving money in real-time, “security has to be your number one priority”. It’s the banks and crypto companies that can find that balance between cutting-edge tech and keeping risk firmly in check that will be the ones who come out on top and manage to make it so that even their most high-stakes customers can move money around without any hassle, all while keeping the trust of both customers and regulators intact.
