Security flaws in Crypto Exchanges and how to fix them!

9 min read

Table of contents

    Share this article

    By Amee Mehta
    Nov 3rd, 2020
    The ICO Rating report suggests that only 46% of cryptocurrency exchanges meet the desired security parameters. The remaining 54%, on the other hand, with sub-par security measures, left hundreds of investors and traders exposed. The same group of exchanges consists of 100 exchanges, and all have a 24-hour volume of over $1million. More than $1.3 Bn has been stolen from cryptocurrency exchanges since 2010, yet many of these exchange operators fail to recognize security as one of the important considerations. To ensure such threats and attacks aren’t commonplace, the exchange operator needs to have a comprehensive process for testing and eliminating security vulnerabilities. While post-incident measures can be effective, it is impossible for them to actually reduce the negatives to zero. For example, Coinrail stated that 70% of the total coin and token reserves to be safely stored and moved to a cold wallet. Two-thirds of stolen cryptocurrencies were frozen in collaboration with coin companies. This blog aims to go through the various security considerations that are needed throughout the process of cryptocurrency exchange development. We’ll also look at the best practices to follow in order to ensure the utmost security from your cryptocurrency exchange.  Susceptibility of cryptocurrency exchanges to phishing It is difficult to protect crypto exchanges from phishing attacks by even using the best technological measures. Back in 2015, criminals stole around $5 Mn. as a result of a week-long phishing attack against the Bitcoin exchange Bitstamp. The fraudsters received a file by email and on Skype from a legitimate company. Once downloaded, that attachment (containing malicious VBA script) installed a malicious file on the compromised machine. So, be sure to make your cryptocurrency exchange safe from phising.  Weak protection of employee login credentials Employees working at crypto exchanges often use weak passwords or store their credentials in a not very safe manner. All of this makes the login details easily available for criminals. This is why many times, hackers try to first invade the employees’ private systems. This brings the question of data security in companies and the ability of employees to take private and sensitive information to home. As a result, companies need to ensure that employees keep their credentials safe and secure related to software applications installed not just on computers allocated to employees but also on their personal computers. Missing hot wallet protections Many crypto exchanges use single private keys to secure hot wallets. If an unauthorized person gains access to that key, they will be able to trespass the hot wallet to which the key relates. Some examples of such private key attacks include the attacks on Bitfinex and Parity. These attacks cost more than $65 Mn to Bitfinex and around $30 Mn. to Parity. Cryptocurrency exchange platforms can simply avoid similar attacks by using multi-signature private keys. Also Read: Creating a stablecoin Software vulnerabilities Banks and financial institutions are obliged by various laws to execute information security measures to protect client deposits and avoid unauthorized transactions. However, since Blockchain is still in infancy, only a few laws apply to crypto exchanges. Thus, it is not very likely that many cryptocurrency exchanges have vulnerabilities allowing hackers to steal considerable amounts of money. Transaction malleability Advocates of Blockchain tech claim that these transactions are supremely secure as they’re recorded on an immutable record. However, it should be noted that every transaction has a signature that can be manipulated before closing any transaction. For example, the Mt. Gox hack was one of the biggest attacks in the history of crypto exchanges. It was conducted by hackers who submitted changes to the code to a public ledger before posting the initial transactions. By the end, this attack had cost immense loss, including $473 Mn.  Now that we have an idea of the various security flaws that can arise in any crypto exchange, let’s look at some important pointers to ensure that your crypto exchange is far away from these security flaws! Also Read: Blockchain in Voting

    Checklist to creating a secure crypto exchange;

    1. Plan a secure ecosystem It’s extremely crucial to give due consideration to your database, server-side, and client-side technologies. SQL injections are anyway rampant and continue to shake the world of the internet and Blockchain alike. Similarly, malicious Java snippets are another menace. The only way to limit all of this is by restricting third-party applications.  The last thing your crypto exchange wants is an imposter disguised as a customer inserting malicious codes into the ecosystem. To prevent this, always use fewer third-parties so that fewer third parties can insert data which can threaten the safety of the cryptocurrency exchange website. In all honesty, it’s close to impossible to completely eliminate DDoS attacks, XSS attacks, and SQL injections, but you can still plan your exchange ecosystem in a manner that prefers security over costs. Because in the end, as a cryptocurrency exchange, your platform will be dealing with third-party funds. Any negligence in this respect can lead to grave consequences, both financial and legal. You sure don’t want to end up like Mt. Gox CEO Jed McCaleb, who allegedly lost 80,000 BTC. 2. Educate your customers We all know that Blockchain is relatively newer tech, and so it is for your customers too. And still, people are increasingly getting more interested and finding ways to jump the Blockchain bandwagon.  Many a time, investors who invest in these currencies are also clueless about the inner workings of Blockchain and cryptocurrencies. This lack of awareness makes it difficult for exchanges to ensure the safety of the virtual property.  Therefore, it is extremely important for crypto exchange platforms to go the extra mile and inform investors and customers. This can be done by posting blogs on your website, using social media space, sending educational newsletters or whitepapers on security measures, and more! 3. Keep things covered The point of the errors is for developers to find and deal with them, not for the hackers to enter via the front door. As a matter of fact, improper error handling can lead to a lot of issues by revealing much more data related to the core implementation of the exchange. You need to prevent stack traces and data dumps, and for that, you’ll need to have the right error handling mechanism in place. Without that, you might be unknowingly paving the way for hackers to get inside your ecosystem and find potential flaws! So, while hackers scratch their heads trying to enter your ecosystem, you should focus on proper error handling techniques in order to not reveal important data, including source codes, directories, or files to anyone except the authorized people.  4. Don’t forget 2FA The reason why Payment Service Directive 2 (PDA2 2) has mandated the two-factor authentication (2FA) for banks is that it provides an additional layer of security. This ensures an added layer of security, keeping hackers at bay. This same measure can be implemented for crypto exchanges in order to prevent fraudulent transactions and result in enhanced security. 5. Implement an SSL certificate  SSL certificate, short for Secure Sockets Layer certificate, can immensely help in gaining the trust of your customers. An SSL certificate connotes that the user data is encrypted, safe, and the site is entirely secure. Your customers are always increasingly more aware of cybersecurity and related threats. So, it’ll help to have your exchange’s URL bar showing the green padlock to build trust.  So, make it a point to get an SSL certificate or EV SSL Certificate for your cryptocurrency exchange. 6. Take the cold storage approach Cryptocurrencies that are stored in online hot storage are usually vulnerable to cyber-attacks. The other option here is to store them in cold storage, which is basically hardware wallets like Trezor. The downside here is the cost, but if you have investment potential to accommodate this, you should definitely invest in a cold storage wallet! 7. Perform regular pen tests In 2018, cyberattacks resulted in over a million dollars being stashed away from crypto exchanges. While there might not be one perfect way to avoid these attacks, one must definitely plan adequate preventive security measures. For this, it is important to regularly pen test your ecosystem and discover loopholes. You can hire an expert (we’re here for you!) to do these penetration tests regularly, which will then allow you to fix the said issues and enhance the security of your exchange.   8. Plan the default security mechanism Even before Blockchain came into the picture, there were always cyber-attacks happening and failing -- happening because of hackers’ smartness, failing because of proper default security mechanisms in place.  As an example, the recent Picreel attack did not harm the organization too much, despite the magnitude of the attack. This was because the default security mechanism detected anomalies and triggered a certain security mechanism that automatically deactivated the system. Make sure to have such a default security program in place, that can take control of your ecosystem as soon as some threat is detected. Another thing that can be done here is Salting and Hashing -- as it makes it difficult for intruders to read the data, even if they manage to steal it.  9. Don’t skip’s essential Don’t take this point lightly because it appears last in our checklist. This is as important, if not more, as the remaining pointers, and many exchange owners tend to take this lightly. KYC, or Know Your Customer, is a set of norms that are applicable to crypto exchanges across the globe. Whether or not your crypto exchange lies within the ambit of mandatory KYC regulations, it is still recommended to implement KYC, especially since cybercriminals are increasingly using cryptocurrencies like Ransomware. In conclusion Security considerations are important while developing an exchange application. It is understandable that with so much to take care of, security sometimes takes the back seat. With this article, we walked you through various security considerations as well as measures you can take -- so that the issue of security doesn’t get lost!  Did we miss something in this article? Do let us know! Need help with a blockchain project? Minddeft is an industry-best blockchain development service provider with a proven track record.