Skip to content
Naked Security Naked Security

Facebook’s Libra cryptocurrency is big news but will it be secure?

Unless you’ve been under a rock, you’ll know that earlier this week Facebook announced plans for a new global cryptocurrency for absolutely everyone called Libra.

Unless you’ve been living under a rock, you’ll know that earlier this week Facebook announced plans for a new global cryptocurrency for absolutely everyone called Libra.

Slated to launch in 2020, Libra’s success will be decided by the interaction of three things – its financial architecture (which is complex and novel), how this affects its popularity and take up, and the consequences of how it might be used and misused.

Financial design

Regardless of what you think of the idea of a cryptocurrency invented (but not controlled) by Facebook, Libra’s coming feels like a big moment for an idea that’s been around for a decade but is still struggling to become mainstream.

Bitcoin, for instance, is a world-famous cryptocurrency almost nobody uses to do real economic work beyond consuming lots of electricity mining tokens and then speculating emptily on their value.

Libra thinks it can solve this by being more like a real fiat currency, managed by big brands (Visa, Mastercard, Spotify, PayPal, Uber, Lyft, Vodafone, and Facebook itself), backed by real assets, and regulated to avoid both volatility and the possibility of money laundering. As Libra’s 29-page white paper states:

The Libra Blockchain is a decentralized, programmable database designed to support a low-volatility cryptocurrency that will have the ability to serve as an efficient medium of exchange for billions of people around the world.

Far from trying to disrupt central control, Libra will embrace it whilst fulfilling the big economic promise of cryptocurrencies to abolish the archaically high charges levied to move currencies around or translate them from one (the dollar, say) to another (the euro or Renminbi).

Libra does employ one innovation for a cryptocurrency on this scale by splitting itself into two parts, the fiat-backed currency and a second investment token that will be offered to accredited investors and members of the Libra Association.

Instead of pegging its value to scarcity a la Bitcoin, Libra’s value and liquidity will be decided by a distributed bank of big investors (including central banks) who, we must assume, know what they’re doing.

In other words, it will behave like a usable, reliable form of digital money that just happens to function via a pseudonymous blockchain somewhere out there.

Why are big companies such as PayPal, Mastercard and Visa so keen? Because they will take a chunk out of the vast and profitable foreign exchange market they currently see very little of.

Watch directly on YouTube if the video won’t play here.
Note: this video was lightly edited to remove ‘frozen’ sections caused by buffering while streaming.

What about security?

If there’s a nervousness surrounding Libra’s effect on the real world, it’s connected to its biggest feature – Facebook also wants it to be used by billions of people to buy and sell things, and move money around at low cost, in effect creating the world’s first unofficial global currency.

You don’t have to be a pessimist to predict that this sort of prominence will attract a lot of unwanted attention, indeed within hours of Facebook’s announcement there were already reports of sites peddling scams.

And that’s before Libra even exists. Scams promoting imaginary currency, fake exchanges, services and wallets – including phishing targeting currency accounts – could well proliferate after launch.

The bullseye for cybercriminals would be to break into Libra’s Calibra wallets held on smartphones, which is why the consortium behind Facebooks claims it will refund lost coins, including ones stolen fraudulently.

That implies advanced authentication, which the official Callibra wallet app says it will manage for users so they won’t have to remember long passwords or manage private crypto keys.

But cybercriminals won’t give up on breaking wallets and are bound to look for vulnerabilities in the software (or rival wallets offering the same service) or developing mobile malware capable of siphoning off data.

Another way might be to attempt to take over accounts by exploiting reset procedures. Or perhaps they’ll focus more on trying to trick people into sending money to scam accounts masquerading as genuine contacts – a version of wire fraud.

Because third-party wallets are allowed, inevitably there’s a risk that developers could become a soft underbelly in terms of their security.

Can fraud be beaten?

In theory, being run on a centralised blockchain via the “Byzantine” LibraBFT consensus protocol, fraudulent trades or losses could be reversed, although it’s not clear how that would work if the recipient has cashed out. That suggests a comprehensive scheme for controlling accounts and identifying account holders that goes beyond anything in existence today.

This raises an intriguing possibility – perhaps what Libra heralds isn’t simply a global currency but one that might be the beginnings of a basic system of secure identity, not from the blockchain itself (which is just a public-private key pair) but the authentication architecture surrounding it.

Many cybercrime problems are tied to the lack of a mechanism for knowing that someone is who they say they are. The evolution of authentication has been knocking on the door of this problem for some time and it could be that the real significance of Libra is that the systems built to ensure its integrity are about to shift identity to the next level.


Fraud will always be around.
Facebook fraud is easy to avoid, just don’t participate.
Don’t buy anything through Facebook, don’t use their currency, don’t associate with your banking or investment institutions on fb.


I have no doubt people will be falling over themselves to use this currency; although I wouldn’t trust Facebook as far as I could throw Zuckerberg, so no thanks. I’ve no idea why online fiat currency is even a thing.


The argument for cryptocurrencies as a concept is that the digital economy for services in particular is tied down to an offline financial system that’s 300 years old. That adds a lot of cost, time and complexity, and ties mortals to institutions called banks which some believe wield power without responsibility.


So, just wanted to say, I don’t think you used pseudonymous correctly here. According to it means 1) bearing a false or fictitious name or 2) writing or written under a fictitious name. Neither of these seem to apply to the blockchain. Maybe you meant pseudo anonymous? Which of course has a totally different meaning.


The Bitcoin blockchain is pseudonymous. Your actions are public but associated with an ID (a false or fictitious name).


The concept of it being a Facebook made currency had already turned me off but the fact that it will be managed by big corporations and investors has put a foul taste in my mouth that no mouthwash could possibly remove. Not sure how I could really trust something like that in the hands of corporations and…the Zuck.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!