Security issues of crypto exchanges and shared my thoughts on how to make trading convenient and safe - Viktor Kochetov, CEO at Kyrrex, a digital wallet and professional cryptocurrency trading.
By and large, bitcoin is not susceptible to security problems; it is an asset that has value due to speculation on it. Of course, a successful hacker attack on a large cryptocurrency platform can weaken bitcoin’s position, but this also applies to the entire market.
Cost reduction of crypto assets will occur only due to the fact of trade volumes; this happens because of the unstable psychological climate — hype around market security.
But, in general, bitcoin and the companies engaged in activities with it, will easily return their positions after the information dust settles.
Even top exchanges are losing millions. The perennial problem is that the attack is always ahead of the defense due to its unpredictability and non-systematic nature. It is difficult to anticipate the next step intruders will take. Companies go through trial and error — they react to precedent. Sometimes companies themselves hire specialists who must find weak spots in the system.
It all works great, but the attackers, too, never sleep. Their schemes go far beyond technical hacking of platforms, indeed, they also resort to the use of human relations. Social engineering, NLP, and the simple deception of gullible people, lead to one thing — hackers acquire access to user assets on a particular platform.
The first six months were pretty harsh for crypto exchanges: seven of them fell victims to massive attacks.
As per Hot For Security data, the USA is the primary and the most attractive target for hackers, and every third victim is actually American. Russia and China take the second and the third positions respectively. When talking about criminal C&C servers, could you possibly guess their whereabouts? The dominant majority of them are located in the USA (56,1%), Netherlands, and Ukraine and Russia follow behind.
As of July 16, 2019 the average bitcoin transaction volume exceeded $3,22 billion per day, which is 210% growth since April. The bitcoin network soars and the crypto community expands. Given this, the question of security becomes more thorny than ever.
Crypto security: why it matters
Both credible crypto businesses and hackers, two opposing worlds, leverage the same technologies. The first ones are focused on broad objectives and higher purposes, while the intruders keep their eye on the ball, maintain a sharp sense of the latest market developments, and use every chance to be on the same page with it.
But what about crypto exchanges? Are they really in line with hacking trends? It seems like these two worlds are spinning at different speeds.
Tangible and intangible losses, plus reputational damage, raise the question of corporate security posture, safety philosophy, and attitude towards this challenge and its magnitude. In other words, is security paramount for this or that exchange? We are far from saying that there are still businesses engaged in crypto that underestimate the potential damage from attacks and prefer to rely on the law of averages.
Any self-respecting platform devotes its time and resources to reducing the risks of potential attacks on a daily basis. Throughout the history of crypto industry there were hacks of various scales. In view of this, each platform adopts all new methods and systems to ensure the safety of its users.
Security matters for one major reason; exchanges have immense cryptocurrency volumes, and if hackers want them, they will get their hands on assets via hot wallets. If they have your keys, they have your bitcoin, and you cannot get it back. In terms of financial well-being, the sense of safety and trust is more important than any other aspect.
Human after all
There is a popular belief that a crypto exchange cannot be 100% secure. We do not support this kind of rhetoric because security is not that black and white, it is nuanced. On the one hand, the exchange can be completely safe from a technical point of view, and the human factor will play a decisive role. As long as platforms are created by humans there will always be the possibility of error.
It is becoming more and more difficult for intruders to go through technical “circles of hell” built by the security system. So they try another way — human imperfection.
A series of resonant attacks were carried out with huge help from the human factor (the thirst for easy money, gullibility, ignorance, etc.) Also, there are cases where personal data of stock exchange employees was stolen simply because some staff members were not prudent.
Yes, we can and should talk about 100% protection of exchanges, however, we should not forget about the nature of cryptocurrency and its initial idea. Cryptocurrencies are created with the implication of anonymous decentralized use.
This essence is something the attackers will always exploit. Suppose there is a system which is flawless from a technical standpoint and its users are cautious and aware of cryptocurrency functionality and security measures. In this case, we can say a system is completely safe.
Today crypto exchanges have five major weak points which are precisely hit by attackers: high susceptibility to phishing, insufficient or absent hot wallet protection, unsecured staff credentials, software flaws and malleability of transactions.
The concept of crypto exchange security breaks down into four dimensions: user safety, registrar and domain security, DoS security, and Web security. Let’s dive into each of them:
User safety implies content flaws in exchange codes, the acceptance of weak passwords, 2FA availability, and action confirmation via email.
Registrar and domain security is about the availability of registry lock, role accounts for employees, DNSSEC, and expiration date for high profile accounts.
DoS security means protection from Denial-of-Service attack and implies resilience to MITM, Clickjacking, Heartbleed, POODLE attacks, and availability of HSTS header.
Web security means security of web protocols, the availability of headers that ensure attack protection — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and X-XSS-Protection headers.
Last year, the situation with security across 140 analyzed crypto exchanges was quite saddening:
The figures above reflect the reality: there is no correlation between crypto exchange trade volumes and its security posture.
Defense in practice
In addition to standard security systems such as multifactors client authentication (for example, 2FA), we consider it crucial to provide additional layers of security. They come in the form of additional (unique) codification of operations confirmation (various QR codes and CAPTCHA), and the formation of modules that store access keys on user devices for signing operations (tokens).
We realize the urge of keeping up to date and moving with the times. Therefore, it is essential to adapt innovations in the cryptocurrency world. And go even further than that.
At a certain point we felt the need to separate financial operations of platforms from operations with own funds. Being more scrupulous about security, one will come to the conclusion that various entry points imply different levels of security. Anti-fraud algorithms are used for active monitoring and safe-watching of customers` financial transactions, operations with exchange`s own assets, for sounding the alarm of unusual behavioral patterns, blocking and rejecting of automated operations, and for users and security manager notifications.
The combination of technological security, cluster security (separation of operations), and logical security, create an unbreakable barrier for intruders.
The security management process is based on the system improvement principles.
The system is divided into accessibility modules by various types of information and its processing, such as: personal information about the client, operations, balance sheets, commands and functions, etc. Each module has its own security level which is individually checked for threats, and the threat handling process is built for each level. The “new” threats are monitored and the level of resilience is checked for the threat that has arisen in the context of the modules.
Graphically, this can be displayed as follows:
This process allows the system to maintain a threat list and constantly adapt the security system. At the same time it is vital to keep in mind that, in the realm of IT, an attack always advances protection. Therefore, modularity and levels allow for the prevention of threats at an early stage and reduce losses. The system, as a whole, adapts to new challenges rather quickly. This management process is logical and justified by the time and behavioral models of network participants.
To regulate or not to regulate? Not the question
People who have a vague idea about cryptoworld as a financial system do not express much trust in the power of regulation. If they could walk a mile in our shoes they would definitely see the strong bond between regulation and security. Regulated platforms are accountable organizations, which means they have something to lose. They have no other options, loopholes, or chances to compromise decency. They operate under the sword of justice, therefore, they must follow the prescriptions of the regulatory body.
The exchange without regulation can afford to cut down on some trifles, but this will inevitably lead to large-scale losses for its users. Registered crypto projects are not only attractive in terms of security; regulation establishes ethical, moral principles and constraints business will never step over. These exchanges allow traders to rest easy and deal with things in a safe environment.