Hacking on Web3 is easy because it uses the same pattern that has been used since the inception of the Internet: pretending to be someone else.

Due to the complexity and “cool factor” of Web3 projects, one can easily, and wrongly, assume that Mr. Robot level of advanced hacking techniques are needed to pull off a successful attack. In truth, though, it only takes one sinister ad placed in Google search results, one impostor Telegram group, or one malicious email to breach the security barriers of the Web3 ecosystem.

Blockchain projects can use top-tier smart contracts, securely integrate crypto wallets, and use best practices at every digital step across the board. But they still need help with the social aspect of user protection.

Web3 takes “ownership” from central entities and distributes it to users to democratize the Internet for all. It empowers the user.

But, achieving this ownership power also comes with significant responsibility. Users need to understand how crypto wallets work, how transactions are made and how assets are stored, and the steep learning curve isn’t helping.

Cointelegraph sat down with Dmitry Mishunin, the CEO of blockchain auditor HashEx, at Istanbul Blockchain Week to discuss the ins and outs of Web3 from the perspective of a security expert.

Cointelegraph: You were working on Web3 even before it was a thing. How do you describe or frame Web3?

Dmitry Mishunin: I think the main feature [of Web3] is that the control of the funds is the responsibility of the users, and this is a fascinating paradigm.

Web1 is just a read-only experience. You can get the information and get the context, but you can’t do anything with it. Web2 is a read-write mode – you can upload something. And Web3 is read, write, own.

This is a crazy liability for the end user because I haven’t had that experience before. We see a lot of security problems because people don’t realize that this is their personal liability against their own assets. People are not ready for this.

CT: How do you think Web3 differs from others in terms of security and user protection?

MD: It comes with a new level of security and a new level of smart contracts. It’s not just about the privacy of smart contracts; it involves the entire infrastructure of wallets, users, its mission, etc.

When a large bank is short of funds, governments can provide the funds, not as credit. They buy the bank for $1 and give funds from the government. The Web3 infrastructure is not ready for this because governments and big regulators don’t think it’s worth it, or don’t think they can trust this ecosystem.

For example, if I had a PayPal account, I would be 100% sure that PayPal kept my funds safe. And if someone steals it, [PayPal] I’ll give it back to you, or maybe I can go to trial. At the end of the day, my funds will be returned to me. It is difficult to understand that you have a personal responsibility for these funds. [in Web3] – it’s hard to notice.

Phishing is still a big threat on Web3

MD: Even at HashEx, a security company, we lost about $100,000 last year, not to scams, not to risky investments, but to human error. We had a pivotal phishing experience when our employee wanted to do some trading on Pancakeswap, searched for Pancake on Google, and didn’t realize he was clicking a link in Google Ads, not the search results.

It had a popup that looked like a MetaMask window. The popup said: “you have an error in your MetaMask”, and she entered her opening sentence.

CT: So in summary, smart contracts will be more secure, but phishing will still be the biggest problem in web security. Will the social aspect of security be the core business of companies like HashEx?

MD: We can reduce phishing attacks because it is primarily about knowing and understanding how scammers deceive users. This is not about the cyber police or the auditors because executing these types of attacks is easy. You can simply create a Telegram group and send messages to users. It is impossible for security companies to cover all these things.

However, we sure can help with this level of user understanding, and we do. We have the HashEx Academy. We are making a lot of content about it. After a while, people should get a better understanding of how Web3 should work.

CT: Is it possible to remain anonymous in the Web3 environment?

MD: It is only possible if you do not withdraw funds and transfer them from Web3 to the real world. If you want to withdraw funds from Web3 to the real world, the risk of losing your anonymity appears immediately.

CT: Metaverse and blockchain gaming are the top trends for Web3 right now. Do we have other trends besides those?

MD: The Internet of Things (IoT). It is a powerful trend. It’s great when those devices can exchange data with smart contracts or with each other.

There are some smart devices in my house, such as a washing machine and a dry cleaner. I use these IoT features. It’s good for me, and I think more complicated systems integration will be fine.

CT: Why do you think blockchain-based IoT would become a trend?

MD: It’s because companies lack universal support for IoT. For example, there is a massive problem with availability in different countries or different regions. If you’re talking about Amazon or eBay, they have different databases and websites all over the world and every couple of hours, or every couple of days, they sync them. But surely they don’t use the same database for North America, South America or Europe.

And, if you are a technology provider like LG or Samsung and you want to connect all your devices around the world, you have two options. Either you have different hubs in different regions and you sync them up, or you use something like a blockchain. So for the high reliability of this process, blockchain and Web3 are helpful.

CT: What do you expect from the Web3 industry for the next year?

MD: Standardization. We have to ask for more and different spheres of blockchain. We have to ask about other ways to transfer funds between blockchains. Bridge standardization: You can have more tools and more frameworks. It’s really useful.