Cryptocurrencies rely on the blockchain, a decentralized ledger that records all transactions ever made within it. The blockchain network consists of multiple nodes that maintain it. To gain control over the network and tamper with transaction data a hacker should compromise most of the nodes, which is practically impossible. So, once blockchain is as safe as houses, why on earth are people still afraid of hackers? The thing is in cryptocurrency exchanges.
Since 2011, there have been 31 attacks on large cryptocurrency exchanges with almost $1 billion stolen from only two of them! You can check the full list. Exchanges are so vulnerable because of their centralization. Coins are stored on servers and servers are easy to hack. Some websites that are known as decentralized exchanges or DEXs are more reliable as they don’t store money and only act as a marketplace that connects traders. But such exchanges are not user-friendly and do not guarantee the reliability of each particular trader.
In this article, we will highlight the basic security measures implemented by popular centralized exchanges as well as their vulnerabilities.
Since cryptocurrency exchanges are websites, it’s clear that they should take basic security measures like protection from DDoS attacks or full encryption of user data. Surprisingly enough, not all exchanges do that. Sqreen analyzed 140 platforms and created the ultimate guide to basic security solutions implemented by cryptocurrency exchanges.
According to them, 20% of exchanges have no DDoS protection, 60% do not comply with the Strict Transport Security standard, 80% expose sensitive data, and 98% do not support Content Security Policy.
It relates to the technical maintenance of the websites, so let’s leave it to developers. But what about crypto-specific security measures? Here are the top five of them!
1. Two-factor authentication or 2FA
2FA is the most common protection mechanism, which is utilized by a lot of websites, social networks, and financial institutions. With it, you must use two different authorization keys to enter your account. Basically, it includes a regular password and an alphanumeric code. Most of all exchanges offer two approaches to receiving this code:
- Via message or call. You will be sent a combination of numbers to your smartphone or tablet.
- Via specific app. Combinations will be displayed in the app like Authy or Google Authenticator.
The second approach is more reliable because codes are valid for a short period of time only. Apps generate combinations every minute or sorts. Hackers still can get access to your phone but this requires extra effort. Usually, they will not try to break into the account with 2FA unless they know that hundreds of BTC are stored there.
2. Multi-signature and time-lock
To perform a transaction, users confirm it with their private keys associated with wallets. Normally, deals require only one key. As extra security, some exchanges introduce multi-signature confirmation which requires two and more keys. There are 2-of-2, 2-of-3, 3-of-5 multisig addresses that define how many signatures are required for making a transaction.
Time-lock is similar to MultiSig but with an additional security feature. With it, transactions can be completed after entering at least two keys/signatures within a specific time. The first key you may enter whenever you want but the second one – after a certain period of time – let’s say 24 hours. If you do not confirm the transaction with the second key, it will be canceled. Thus, hackers can’t spend money even with access to your public key.
Multi-signature is already used by Coinbase, CEX.IO, and Bitstamp while time-locks are in the works.
3. Cold storage
Another feature implemented by a few major exchanges is cold storage. Regular crypto holders might be familiar with storing coins on hardware devices. Websites also use this method. Hackers can’t compromise hardware that isn’t connected to the Internet, so users’ funds are safe. The thing is that not all money is stored offline because exchanges must be closing orders and cutting trade volume in this case. The cold storage options are offered by the secure Binance exchange, Coinbase, and Kraken.
4. KYC and AML
It stands for Know Your Customer and Anti-Money Laundering. Simply put, such policies are implemented for fraud identification and prevention. Exchanges that are compliant with KYC/AML ask users to verify their accounts with national IDs, photos of bank cards, and sometimes documents proving residential address. Website compliance teams monitor transaction activities and may decline suspicious ones. While some crypto purists claim that KYC/AML contradicts the idea of anonymity, following these principles can successfully prevent fraud.
5. Insurance policy
This security measure is uncommon among exchanges as it can’t protect the website and traders from theft but acts like a compensation policy. Cryptocurrency exchanges may budget for insurance expenses to hedge against the risk of financial losses, external threats and software failures.
Main vulnerabilities
After we outlined the top security approaches, it’s useful to review general threats facing cryptocurrency exchanges. Here are four main weaknesses:
- Phishing. In 2015, a group of hackers disrupted Bitstamp’s computer system with a malware attack. $5 million was stolen as the result.
- Human error. In 2017, the exchange was hacked after the leakage of sensitive data. Criminals got user logins and passwords once they hacked into the home PC of an employee.
- Transaction Malleability. Blockchain records transactions and confirms them using signatures, but hackers may change transaction IDs before confirmation. This is what made Mt. Gox lose user funds in 2014.
To protect your crypto funds, don’t rely on exchanges only. Use 2FA, install antivirus software, double-check all addresses and keys when making transactions, and always keep most of your coins in cold wallets. Be your own bank!