Security of a Cryptocurrency Exchange
1. What is a cryptocurrency exchange?
A cryptocurrency exchange, or crypto exchange, is a business that provides a platform that allows customers to trade cryptocurrencies or crypto assets . Such exchanges charge listing fees to include new crypto assets and make them available for trading. They also charge a transaction fee to facilitate the buying and selling of crypto assets.
2. Why is security so important for cryptocurrency exchanges?
Three primary reasons for securing cryptocurrency exchanges are:
- Cryptocurrency exchanges trade hundreds of millions of dollars in coins and tokens.
- Cryptocurrency exchanges store private customer data, like driver’s licenses, passports, utility bills, property rates, etc.
- Cryptocurrency exchanges need insurance companies to back their projects.
A security breach or a hack on a cryptocurrency exchange often results in huge financial losses for both the exchange and its customers. Hackers can access customers private data, which can then lead to identity theft. In the past, we have seen several security breaches on exchanges where hackers were able to steal millions of dollars worth of cryptocurrencies without leaving a trace. Security breaches like this put the cryptocurrency exchanges in a very difficult position financially and negatively impacts their reputation.
A lack of sufficient security leads to further cascading effects, such as difficulty in insuring the business. There are only a handful companies that will risk insuring a cryptocurrency exchange, even when that exchange has a flawless reputation and the most advanced cyber security. If an exchange has been hacked, it makes it even more difficult for the exchanges to get insurance. Insurance companies are now beginning to enforce stringent policies to manage their risks, and soon the only way to insure your business will be by proving the security of your cryptocurrency exchange.
Losing money and information is the worst thing to happen for an exchange. Hence, securing the exchange from the start is absolutely essential, so much so that it is becoming a functional requirement for any exchange software development project.
3. What needs to be secured in a cryptocurrency exchange?
If we consider the overall cryptocurrency lifecycle, there are three main areas to secure:
- Securing the Coins or Tokens
- Securing the Exchange
- Securing the Wallets
When we consider security, there should be a holistic solution covering these three vital areas. In this report, we limit our discussion on the security of a cryptocurrency exchange. So what should be secured in a cryptocurrency exchange? Securing a cryptocurrency exchange is a massive undertaking and requires significant considerations from the crypto perspective, as well as the infrastructure perspective. This article reports the preliminary findings from our research into securing cryptocurrency exchanges. We reviewed and evaluated eleven exchanges and studied their password policies and their HTTP security headers to understand the current state of security implementations. In general, our findings indicate that the majority of exchanges can improve their password policy and implement HTTP security headers to strengthen the overall security of the platform. While this study only reports on these two aspects, there are a number of other security aspects, such as network security, email security, database security and more, that should be considered by cryptocurrency exchanges, which are not covered here.
3.1 Password Policy
The foremost security aspect for cryptocurrency exchanges is a strong authentication mechanism. Exchanges should implement a strong password policy (examples of the strong password policy are shown with the six points below. There is not a standard strong password policy, however, something that needs to be rectified), coupled with 2-Factor Authentication or multi-factor authentication However, many exchanges do not implement a strong password policy or multi-factor authentication and become susceptible to attacks. We reviewed eleven exchanges to gain insights on their password policy implementation. See the results of this review in Table 1 below. We compared the password strengths along six dimensions. We checked for the following:
- Password requires 8 or more characters
- Password policy limits the use of reserved words in passwords
- Password requires a combination of letters and numbers
- Password strength – how easy it is to guess the password, a lack of required characters (i.e. special characters, a combination of capital and lowercase letters, etc.)
- Account creation requires account activation email
- Two Factor Authentication
Table 1 Password Policy
Difficulty viewing this table? Click here.
Figure 1 Password Security Policy
We were able to make several interesting observations. None of the exchanges considered restricting the use of reserved words for password. We tried “admin” and “root” as the password text, combined with the numbers, and it worked as a strong password. This is extremely critical and a strong password policy should limit the user of reserved words in password. There are several words and phrases, including the word “password”, that are commonly used in passwords and that are extremely easy to guess. A strong password policy would reject any proposed passwords attempting to use these commonly used words or phrases. It should also flag cases when numbers are used in a serial order e.g. “123456” or “123”. Some exchanges did not enforce using a special character in the password so we were able to register with a password like “Admin123”. Overall, it seems that although some form of password strength is considered, it is far from ideal. Password policies should be given a great deal of thought and should cover all possible angles to make it difficult as possible for hackers to compromise user accounts.
3.2 HTTP Security Headers
The next thing to consider is the HTTP security headers, as they offer another level of security for the exchange or the web platform. Security headers are relatively simple to implement, as they only require a few server side configuration changes while strengthening your overall security framework, mitigating attacks and security vulnerabilities. HTTP security headers instruct browsers in how to behave when interacting with your website’s content and data. For example,
strict-transport-security, tells the browser to only communicate over HTTPS. Similarly, when implemented,
content-security-policy, prevents cross-site scripting attacks. The
x-frame-options header protects against clickjacking and prohibits loading of iframes on the site. We reviewed the eleven platforms to assess their HTTP Header Security implementation and found interesting results. See Table 2 below for a comprehensive list of our findings.
Table 2 shows that none of the exchanges have implemented
content-security-policy. Only one exchange has implemented HTTP
public-key-pins. 54% of exchanges did not implement
Redirection was implemented by 9 exchanges, whereas
Subresource Integrity was again missed by all the exchanges.
X-frame-options was only implemented by 7 (63%) exchanges and
X-XSS-Protection was implemented by just 5 (45%) exchanges.
Overall, it seems that implementing HTTP Security Headers are not a big task, but the majority of the exchanges have either overlooked it or not given it much thought.
Figure 2 HTTP Security Headers Implementation
Table 2 HTTP Security Headers Implementation
Difficulty viewing this table? Click here.
3.3 Non-Technical Security Solutions
Hacker bounty programs: Other than implementing technical solutions to strengthen the security of the system, exchanges can take an offensive stand against hackers by providing cash rewards or bounties for people who can report on hacks on cryptocurrency exchanges. Binance has started such a program, and allocated $10 million dollars towards this initiative. This will attract cybersecurity experts to not only assess the security of the platforms, but to conduct a more thorough investigation secure the bounty.
Rewarding experts: Another non-technical solution to the problem is to reward cybersecurity experts for identifying potential vulnerabilities and report it to CERTs to prevent propagation of such vulnerabilities across other platforms. Buglab has allocated $2 million dollars for such an initiative.
I have read several security reports and studies that mention that cryptocurrency exchanges should provide minimum security standards. I, however, strongly suggest that cryptocurrency exchanges should provide maximum security standards. I think it is important not to underestimate the task of running a cryptocurrency exchange or the importance of providing the maximum amount of security from the ground up. This involves incorporating security practices while the software platform is being developed and not confusing blockchain security with exchange security. Exchange software is developed or programmed independently from the blockchain, and is a custom code running on a cloud. Hence, the security of an exchange does not depend on the inherent security features of the blockchain. Relevant infrastructure security should be in place to ensure that an exchange is secure to trade and manage. As mentioned earlier, security is critical when dealing with financial transactions because stolen cryptocurrency usually cannot be recovered. Consumers need to have the trust and confidence when selecting an exchange. A cryptocurrency exchange needs to demonstrate and communicate the strong security that has been built into their exchange at the foundation.