8 ways to ensure that the crypto exchange security system really makes your exchange secure
Crypto exchange security
Bitcoin has shown that it stands on solid foundations. Consider, it’s been with us for 12 years already, while thousands of other cryptocurrencies have sprung up since then. Since then, thieves and fraudsters have stolen millions and millions of dollars’ worth of cryptocurrencies from users and exchanges.
While the crypto market is growing every day, the bigger volumes of crypto call for greater responsibility and thus for better security. Both for users and also for cryptocurrency exchanges. If the cryptocurrency security within the space will not be improved, the mass adoption of crypto won’t happen, because new people will be afraid of using crypto. Almost every week, there is info about some leak of private data or hack of cryptocurrency exchange.
Hacking crypto exchange was never a better deal. Not just there are more and more of them, but they store interesting amounts of money. Why would anyone don’t want to become a millionaire overnight just by finding a security gap in one of the crypto exchanges?!
OK, let's be more serious for now. Cybercriminals are in the space just from the creation of the internet. So it's understandable, that they are present here and now, within the crypto industry, where big money flows.
In the previous article, I referred to a process on how to start your own crypto exchange business and how costly it is. But let’s have a look at the security side of things. If anyone takes it seriously to owe an exchange, she/he needs to consider many different safety aspects.
The main question upon each newbie mind probably is: “Is it safe enough to send money and crypto on the cryptocurrency exchanges?”
3+1 biggest thefts from crypto exchanges
From the beginning, when Bitcoin started to be traded on an exchange, there were intentions to steal it. It's natural, where there is value, there is someone who wants to get it for himself. And the bigger the bag of money is, the more thieves and fraudsters are there with improved techniques.
Today almost 300 cryptoexchanges exist and new ones are still created. There were a dozen of exchange hacks and leaks over the years, but let’s look at the most significant ones in terms of value and spoken.
1. Coincheck – $534 million
The Japanese crypto exchange Coincheck was hacked at the beginning of 2018, when thieves stole over $534 million in the cryptocurrency NEM, those days sitting at the TOP 10 due to CMC. It happened because all 523 million NEM tokens were stored in one hot wallet without any multisignature security! Hackers probably sent malware to Coincheck staff and obtained remote access to the system.
2. Mt.Gox – $450 million
Mt.Gox was robbed twice. In 2011, they lost 80,000 BTC. But the second theft from 2014 was even more significant because the value of Bitcoin was higher and hackers stole 850,000 BTC, which is around $29 billion in today’s price! Hackers gained access to the unencrypted wallet.dat file, which stored private keys to the funds of the exchange.
3. BitGrail - $170 milion
Italian crypto exchange BitGrail was hacked in early 2018 when 17 million NANO coins were lost worth 170 million USD at that moment. It happened due to two main vulnerabilities. The JavaScript validation code was easily tricked so the user could withdraw even more funds that were on his account. The second reason was that users could withdraw funds while using the account balance of a different user, caused by a permission bug.
+1 extra case: Binance
This one is not as significant in terms of the stolen funds, but of the main actor. Binance is the biggest and probably most secure crypto exchange nowadays, and still, the attackers managed to overcome its security measures. In May of 2019, due to the malware, hackers stole about 7000 BTC and KYC data from up to 60k users. So even the largest and most secured exchanges couldn’t avoid vulnerabilities in their system!
The most popular ways to hack the exchange
Besides mentioned cases from the previous paragraph, security disruptions are still very common. Hackers have several options, how to implement a malicious code into the cryptocurrency exchange, or at least to its part. It can be anything with access to the sensitive data – a computer of one of the workers or to the server. Let’s have a look at the most popular hacking methods.
-
Hacking the exchange application
There are several ways a user can access the crypto exchange: through a web browser, desktop or mobile application. All of these have some kind of vulnerable spots. The most popular ways to attack the communication link between an exchange and the end-user are malware, phishing, keyloggers, DDoS attacks, ClickJacking attacks, waterhole attacks, eavesdropping attacks or cookie thefts. The goal of any exchange is to identify and prepare for potential attacks.
Hacking of hot wallets
Hacking a hot wallet or several hot wallets of cryptocurrency exchange is the simplest way, how to get access to the crypto assets. Not in the meaning, that it’s not difficult to hack the exchange or their server, but in terms that once the hacker got access to those hot wallets, the funds might be moved anywhere else.
Let’s get back for a while to the specific hacks that happened before and were described earlier in this article. An important lesson was learned for all the new exchanges from the previous failures. Just look at how long it took Mt.Gox until they realized that their assets aren’t any more in their hot wallets – several months! Nowadays it seems to be impossible not knowing it within a few days or weeks at maximum.
More details about the insecurity of hot wallets you can read below in the next section.
Social engineering hack
Social engineering is one of the ways to get sensitive data or to have access to them. This is done usually by impersonating a trusted source of data – some employee with publicly stored data about oneself.
The attacker typically sends the .doc, .dot ,or .exe file to the crypto exchange worker with some relevant info and even the name of a person with whom he previously communicated. After the file is opened, the user’s device is affected by malware. The only effective protection is to inform your employees about new potential threats.
How crypto exchanges are protected
But what if you have your crypto exchange or are thinking about starting one? Here are some cryptocurrency exchange security guidelines that are good to follow, if you want to maximize the safety of your and your client funds. Let’s check our 8 ways to secure cryptocurrency exchange.
1. Storage at cold wallets
Do you know the safest way to store cryptocurrencies from a user perspective? It’s a hardware wallet such as Trezor or Ledger. Because the private keys are stored off-line in the device and not on-line, we call it also cold storage. The opposite to this is a hot wallet, where your coins are stored on-line and ready-to-use all the time.
But what about exchanges?
Do you remember the example of Coincheck exchange and their usage of one single hot wallet for storing all of the NEM tokens from the beginning of this article? That would never happen if Coincheck would use the combination of hot and cold wallets, or at least not in that huge way. Hacking the server of exchange may threaten the assets of customers when all the assets are stored in hot wallets.
While blockchain is a fully transparent place, attackers might observe and track by the on-chain analysis, which wallets serve as hot and which as cold storage. Exchanges may also utilize pre-cold and pre-hot wallets to improve the level of crypto security.
Cold wallets should contain the majority of cryptocurrencies because they are not directly connected to the internet.
Hot wallets serve as a liquid deposit for exchanges to enable sweeping withdrawals of the clients.
Some exchanges such as KuCoin have also separated the assets in the customer’s interface. Users can have cryptocurrencies both on the Main Account or Trading Account. While the Main Account serves for deposits and withdrawals, it's essential to get those funds in a more liquid way, for example, a hot wallet, Trading Account is determined as a liquidity pool for crypto transactions and trading. Until the crypto assets are moved from Trading Account into the Main Account, they might not be withdrawn and that means an exchange doesn’t need to have them in the hot storage for the time they are in the Trading Account.
2. Two-factor authentication
Two-factor authentication is a must within the crypto space because of security reasons. Some exchanges do not just use two factors, but some use even three or more. Passwords are resistant until they are cracked. It can be a user's incompetence by setting up a weak password or the same on several accounts. Because of the access to users’ passwords, hackers commonly exploit practices like keylogging or sending out spyware that enters malicious code into computers. Once the password is stolen or found, the attacker is waiting for a proper moment to use it to his advantage.
Multi-factor authentication is a second layer security boost over the password when logging-in or withdrawing funds. Two-factor authentication can take the form of a text message into a phone device or an e-mail. A popular way is using a special mobile application for this service such as Google Authenticator or Authy, that produces a unique cluster of numbers within a specific time.
Using multi-factor authentication is essential because it’s simply another layer of security added for the manipulation of your valuable crypto assets.
3. The account linked to specific IP address
This security precaution is not as used as some others, but it might be limiting for the attacker as well. Once the account on the crypto exchange is linked to one or several IP addresses, it’s much harder to surpass it.
Monitoring IP addresses, that the user is logging into the exchange, is used by the major exchanges, but only for informative reasons to get user info about his previous activity. But without any specific notice – this is given absolutely upon the customer if he controls his behavior and observes any fluctuations or suspicious events or not.
But there are the first exchanges that are starting to inform users by a message in case of any suspicious access into the users' account, for example from some unknown geographic location or from a different computer or a browser than the user usually visits the exchange.
4. Notification messages when funds are withdrawn
Another important security precaution is informing a user about withdrawing funds.
This move can inform the account holder just at the right time – when the hacker is trying to move crypto assets in the his-controlled address.
The major exchanges not only send notifications for withdrawing cryptocurrencies but also deposits. It helps customers to become beware if any inappropriate manner happens.
Some exchanges go far beyond just notification emails about withdrawing funds. They offer to allow you to click on the active button directly in the body of the email, which can occur canceling this transaction or even an account suspension if there is some unknown or suspicious motion on our account.
5. Withdrawals block after changing account data
Changing account data such as related email addresses or phone number is the typical behavior of a hacker. Once the attacker gets access to the account, he must be sure that he can approve the possible withdrawal by his controlled phone or email.
By blocking withdrawals for several days or even a week or two after changing some accounts settings, crypto exchange avoids those types of malicious behavior, that is usually done by hackers. If the attack is to be carried out well, the hacked person must not know about it at least for the confirmation of the withdrawal.
6. Anti-fraud department existence
The anti-fraud department is one of the critical points in the company. The existence of such a section is, especially for big companies and crypto exchanges, very helpful by prevention and identification of any misbehave. All the exchange employees should be aware of the prevention and exposure of fraud even before it happens. Education of own staff is one of the important steps.
On the other hand, besides its benefits of use, a company with a separate department focused on fraud detection sends an important message to the clients and shareholders. A message, that the company takes seriously the combat with fraudsters and thieves.
7. Customer insurance funds
Funds stored on the exchange can be insured in two ways. The first is by some external insurance company, and the second is to have them backed by some internal policy or regulation. Because, when the assets are stolen or lost, exchanges need to cover the losses of their customers, otherwise it can have consequences that might lead to the end of their business.
Have you ever seen the CEO of Binance Changpeng Zhao (CZ) tweeting that “Funds are safu”? What do you think of it – is he wrong with spelling the word “safe”?
The answer is, that it's being said for a purpose. Because Binance created Secure Asset Fund for Users (shortly SAFU) on the 14th July 2018, where they store 10% of the received trading fees to protect Binance’s users and their crypto assets.
Later in May 2019, as I mentioned earlier in this article, one of the biggest crypto exchanges Binance was hacked for 7 000 BTC. Thanks to this asset fund, they were capable of covering the lost cryptocurrencies so their customers didn’t lose anything.
From that moment, whenever you hear from CZ again talking about “funds are safu”, think of their customer insurance fund.
8. Crypto exchange security audits
Similarly, to customer insurance funds, periodic cryptocurrency exchange security audits play two major roles for the exchange business. Not just the audit can reveal some weak spots in the security of a cryptocurrency exchange, but it also builds investors trust and legal certainty. Audits also play a big and important part in many jurisdictions to fulfill the regulatory frameworks. The space for money laundering and fraud of all kinds should be minimalized to get more credibility.
Previously compromised exchanges and their lax approach brought to space the importance of security audits because in many cases there were found lack of both internal and external control.
There are many different types of audits, but for crypto exchange-related business, the System and Organization Control audits (SOC) are the most relevant, because they are used to independently detect potential risks of the exchange and inform clients that your company has effective and internal controls implemented.
SOC 1 audit
SOC 1 audit is focused on internal controls related to financial reporting (ICFR). SOC 1 reports task is to inform clients about the steps to detect and resolve the risks that the services provided will not adversely affect the client's finances.
SOC 2 audit
SOC 2 audit informs about IT security in these categories: security, confidentiality, processing integrity, information privacy, and availability. Audited companies can pick the security category plus some other or all of those. SOC 2 report is important to compliance Trust Services Criteria required by the AICPA (American Institute of Certified Public Accountants).
SOC 3 audit
SOC 3 audit is not that often used by companies. In comparison to SOC 2 audit, SOC 3 doesn’t include a detailed description and results of the control and also that it can be then freely distributed.
SOC for cybersecurity audit
SOC for cybersecurity is one of the newer options, usually used by companies, that need a formalized way to provide evidence and report about their cybersecurity risk management program.
You can learn more about security technologies used in our crypto exchange solutions by exploring our white label crypto exchange.
Conclusion
Crypto exchange business might be very prosperous, but the security solution must be placed in the first place. Otherwise, the risks are higher than possible revenues. One precise hacker attack on the funds stored in cryptocurrency exchange can change everything for the worse.
Just take a look at the crypto exchanges that have been hacked in the past. Some of them like Mt.Gox, Cryptsy, Cryptopia or BitGrail don’t exist anymore.
Hackers and fraudsters are still developing new tools and techniques, how to gain access to the servers of exchanges and applications of users. They have a good reason to do so: your cryptocurrencies. Millions worth of crypto assets stored on the exchanges is like honeypots to them.
Starting a crypto business without implementing an effective cybersecurity program is a very big risk, because then it's just a matter of time when something unexpected and unwanted happens. It's like a play with fire, where you can get burned very easily.