Crypto Exchanges are not far behind the Blockchain in the number of errors
Over the years, digital thieves have stolen millions of dollars’ worth of cryptocurrency from various exchanges. The crypto market attracts a huge number of investors and everyone hopes to get the highest returns and it doesn’t bother anyone that once your crypto is stolen, you won’t get the refund, transactions and assets are not secured in any way, which makes investing in cryptocurrencies really hazardous. The largest crypto exchanges contain vast amounts of digital cash. These facts are really attractive for hackers.
Today more than 200 crypto-exchanges offer their services and this number is constantly growing, therefore, the fall or hacking of the one exchange will not lead to a drop in the market, as it could have been before, furthermore many countries are beginning to introduce regulatory requirements for crypto-exchanges, but still nobody is fully protected from the loss of their crypto assets, therefore, invest in reliable assets, diversify your portfolio and choose good crypto exchanges.
We selected exchanges whose daily trade value exceeds $100,000; the total number of exchanges on the list is 130.
The report will discuss the following issues in detail:
In comparison with the previous report, most of the parameters have been revised and checks from known attacks, that were not included in the previous one, were added. The report consists of four sections:
● User Security
● Domain & Registrar Security
● Web Security
● DoS Protection
For verification, accounts were created on each exchange and a test was conducted, on the extent to which the security of the user account was ensured, using the following parameters:
● A check for errors in the content of the exchange code, which could lead to malfunctions in the application.
● The ability to create a weak password.
● Confirmation of actions on the stock exchange through mail.
● Availability of 2FA.
Domain & Registrar Security
A check for errors related to the domain and registry. The following parameters were inspected:
● The Registry lock is a special flag in the registry (not your registrar) that prevents anyone from making changes to your domain without out-of-band communication with the registry.
● Security-conscious organizations avoid leaking this kind of private information by using role accounts to register their domain names. Role accounts protect individuals in your organization from being targeted by attackers.
● We recommend at least a 6-month expiration window for high profile domains. This is enough leeway to deal with unforeseen complications, such as an employee owning the domain leaving the company (again, this is a good reason to use Role Accounts).
● DNSSEC eliminates the threat of DNS cache poisoning by authenticating all DNS queries with cryptographic signatures. Instead of blindly caching DNS records, DNS servers will reject unauthenticated responses.
The web security was analyzed depending on whether the exchanges were protected from the following errors and attacks, and whether they met certain security standards:
● HSTS header presence.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
● Clickjacking attack protection
A malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on.
● Drive-by Download attack protection
Unintended download of computer software from the Internet.
● Man-in-the-middle (MITM) attack protection
Attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
● POODLE attack protection
An exploit that takes advantage of the way some browsers deal with encryption.
● Heartbleed attack protection
Leads to a leak of memory contents from the server to the client and from the client to the server.
● Robot vulnerability protection
Vulnerability that allows RSA decryption and signing operations with the private key of a TLS server to be performed.
● TLSv1.3 presence
● HIPAA, PCI-DSS, NIST guidance compliance.
Denial-of-Service (DoS) attack protection
A cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
Statistics & General rating
● All exchanges were protected from POODLE, Heartbleed and MITM attacks.
● 1% exchanges were not protected from Robot vulnerability.
● Only 37% exchanges have HSTS header.
● 60% exchanges protected from Clickjacking attacks.
● 74% exchanges were protected from DoS attacks.
● Only 16% of exchanges fall into the A category. None of the exchanges have received an A+ rating.
● For the second time, Kraken is ranked first and was protected from most attacks.
Out of 130 exchanges only 21 got the A score, most of exchanges got the B score that means they are protected from most of attacks but have some issues. None of the exchanges got the A+ score, so none of them are ideal. You can find full report and full rating table at ICORating website.