"You can't protect against everything:" Cybersecurity experts warn about potential security risks, scams in the metaverse

Cybersecurity experts warn about potential risks in the metaverse

If you want to know what can be great about the metaverse, talk to 12-year-old Cooper Stone. He plays video games like Fortnite and uses his virtual reality headset to play sports. 

"The metaverse is a virtual reality world where you can go to concerts, you can see famous and really cool people around the world," Stone told CBS News' consumer investigative national correspondent Anna Werner. 

In the future, those experiences will likely seem more real as Jason Rubin of Meta – formerly called Facebook –  told CBS News in February in an interview conducted in a virtual reality program. 

"Slowly but surely I think that things you can do in the metaverse, and the amount of time you spend in virtual reality in the metaverse will slowly increase to the point where we really become an immersive world," Rubin said. 

So it's no surprise that companies are seeking ways to create experiences and make money in the Metaverse. 
But security experts believe where there's money to be made, the criminals won't be far behind and all things — including money, personal information and social security numbers — are at risk.

"We totally expect them to move into this," Kevin Gosschalk, co-founder of Arkose Labs, said. 

Stone and his parents say they already got scammed when hackers broke into his Fortnite account last year and charged up his parents' credit cards. 

Epic Games, the company that owns Fortnite, told CBS News it has purchase controls for parents to manage Fortnite purchases and "checks all accounts for signs of compromise continuously" to help stop fraud. 

Epic added that "Most times, an account compromise is the result of malware, phishing or password reuse between multiple sites. Our parental controls enable families to make informed choices about their children's Fortnite experience. These include purchase controls that apply to all payments made through Epic Games' payment service." Players and parents can find out more information about how to keep their online accounts secure on their website.

Caroline Wong, with cybersecurity firm Cobalt.io, said criminal attacks can take on more disturbing forms: for example, if a hacker gains access to your VR headset. 

"If a hacker can access that camera, they can see into your office, they can see into your bedroom. They can see inside of your home," Wong said. "That's called the camera attack. Another one is called the overlay attack. When they can control what you're seeing and what you're hearing." 

Some content in the metaverse may be disturbing to some users, especially children—including finding guns in some user-created rooms and inappropriate metaverse graffiti images. 

Meta declined to comment on camera to CBS News but said Quest headsets are designed for children ages 13 and up with some experiences only for people 18 and up. 

Meta has previously said they'll offer additional parental supervision tools to monitor their teens' activities.  

The company said it has set up "safe zones" inside the software so users can exit situations they might find uncomfortable. Later this month, the company will offer a way for parents to lock specific apps that aren't age-appropriate for teens.  

VR Chat said underage users are not permitted and are banned if detected and that "user safety is a top priority". 

"You can't protect against everything. But there are things that you can do," Wong said. "They build the world, they create the experiences. Everything is very much on purpose. Everything is being monitored already. How long your eyes gaze at a particular digital object? Exactly what you click on, exactly what you type. All of that is being monitored. It can be monitored." 

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.