Journalist, crypto enthusiast
Cryptomarket is experiencing a new rise; more people are entering the crypto space via trading on exchanges or storing crypto assets in wallets. However, lots of problems remain unsolved. Just recently, the Japanese crypto exchange Bitpoint has lost $32M. So, at this point, sending money via blockchain may not seem as secure as they were in the beginning. In this article, I’m sharing my view on how to address the existing challenges.
Transactions on blockchain has many advantages: they are irreversible, they are decentralized and not easy not hack. If you did your transaction on blockchain, nobody can block or take your money how can banks or PayPal do if you transfer your funds with them.Despite the fact that the use of blockchain in many aspects solves the security problem
There are several common vulnerabilities of crypto exchanges.
Weak internal security policy
People employed at cryptocurrency exchanges sometimes use weak passwords or store their login credentials on insecure external devices. Thus the sensitive data becomes an easy target for criminals. At least three known attacks have happened due to compromising of workers’ login details: Bithumb, NiceHash and YoBit hack all happened in 2017. It's important to mention that hackers usually attack personal computers of staff. In the case of Bithumb, for example, the hack became possible because the data was stored on a personal computer. These events inevitably raise the question: how well the staff knows the security policies of the company? How often there are holding special questionings, tests for the workers to find out that they are following the security policy? Not many companies are paying enough attention on that. Consequently, all the people in a company who has access to sensitive data need to be sure that all their applications are protected not only on a corporate computer, but also on a personal laptop; and of course, how well qualified the users are.
How to solve it?
Companies have to make sure that staff knows about protection measures when storing their login credentials not only on work computers but also on private ones and external devices. It may be wise to hire a person who will supervise the execution of security policy internally.
People working for the company should be aware of different fishing methods (emails which looks like email from the well known companies and services such as Google, Uber, but might be willing to still your personal data if you click on it). Workers should not post many sensitive data such as birthdays, name of the parents and boss and etc. in the social media, because it could be used by fraudsters as well. All the passwords should be complicated and different.
2. Using the same private key
WalletGenerator.net, an online online paper wallet generator for different cryptocurrencies, was running on code that caused the same private key/public key sets to be issued to multiple customers (ones who came from the same ip address). The weakness was demonstrated in a blog post. Vulnerability was caused by malicious code that affected random key generation.
How to solve it?
One of the best solutions is to use hardware tools to generate and store keys; they are almost impossible to hack.
In addition, all users of crypto services should check if the platform/product employes it (by contacting support or digging deeper and researching forums like Bitcointalk).
3. Code vulnerabilities
The “Mt. Gox hack”, one of the most notorious attacks in crypto history, was conducted by hackers who has found vulnerabilities in the exchange’s transaction algorithm. The attack resulted in the loss of $473M and bankrupted the hacked exchange. What happened? The developers of Mt. Gox just simple did not update the form of hash which was updated previously by bitcoin blockchain. And while transactions were completed successfully the Mt. Gox system did not see the hash in bitcoin distributed ledger cause it was formed differently. So Mt. Gox did not change the balance of the user because of the “unconfirmed” by bitcoin blockchain transaction, while it is actually was verified.
Why do people trust exchanges like Mt. Gox? There are several reasons.
As Daniel Kelman, lawyer and creditor of Mt.Gox says, “for the longest time Jed McCaleb [CEO and founder of Mt. Gox] banked all the Mt. Gox customers out of his own personal bank account at JP Morgan Chase in New York. This guy was banking everyone out of a personal bank account. It was the only exchange in the world that was charging fees that were like 0.6%”.
But low commissions and backing funds by fiat are not the only things you should look on when you enter the new exchange.
How to solve it?
By relying not only on blockchain safety but also on additional measures of online security like multi FA, TLS connection and others. Also all the keys should be stored not centrally on the cryptoexchange or at the wallet server, but on the devices.
“User experience in financial products has always been a hard tradeoff between security and convenience.” — says Dmitri Zhuravlenko, CTO USDX Wallet — “For our wallet we crafted a combination of strong encryption algorithms along with specially designed key derivation routines that allow users to access their private data using relatively simple password, but gives a serious challenge for attackers who’ll try to hack the data. And this is just a part of the measures we take to protect our customers.”
4. Vulnerabilities in open source data library
Sometimes fraudsters publish open source code with vulnerabilities on purpose. And if the developers of the crypto exchange or wallet are not that bright they might use it, giving the thieves access to user’s hot wallets.
How to solve it?
The only way to solve it is to hire qualified developers and double check the code, better not blindly trust sources as GitHub.
Despite all the hype, the crypto industry is still in its infancy. There are many startups made “within a day,” using open source code from Github, and therefore not really secure. Users have to opt for trustworthy services if they want to be sure in the safety of their funds and digital assets. As for developers, they have to prioritize security measures over user-friendly interface or speed of the transaction.