Cryptocurrencies have been rocking the news headlines for the past few years due to their unprecedented rise in value that has seen people become millionaires from making small investments in them. Although there has been news of people making loads of money from these investments, there have also been a plethora of stories pertaining to cryptocurrency exchange providers being breached by hackers.
The anonymous nature of transactions that some exchanges and cryptocurrency use have led hackers to hone in on these websites and steal billions of dollars in cryptocurrencies from miners and customers alike over the years. Many of these hacks have led to the short and swift demise of these cryptocurrency exchange providers due to the sheer quantity of breached accounts and value of cryptocurrency that were been stolen.
These hacks make the prospect of opening and operating an online digital currency exchange seem extremely risky, but it shouldn’t be. If your exchange takes the right stance towards its encryption and cybersecurity solutions standards, it can reap the benefits of increased traffic without the threat of a future breach.
This article aims to address the mounting threat of crypto exchange provider hacks and how exchange providers can double their efforts to keep hackers from breaking down their cyber barriers and keeping their blockchain safe. Doing so requires that the exchange provider take the necessary steps towards becoming compliant with the rules and regulations documented in the CryptoCurrency Security Standards (CCSS). With the knowledge that your exchange accumulates from this article, you’ll be set to take on hackers and combat their advances to breach your cryptocurrency database.
Cryptocurrency Exchange Providers
The buying, selling, trading, and exchange of cryptocurrencies can be carried out from a crypto exchange provider website. These exchanges are marketplaces that investors can trade their cryptocurrencies with others anonymously in a decentralized platform that is free from government regulations. Cryptocurrency exchanges are a Peer-to-Peer (P2P) platform that provides escrow and transaction mediation services for users. Investors can either trade cryptocurrencies for other cryptocurrencies or hard currencies such as US Dollars, Euros, GBP, etc. for cryptocurrency. A service charge is allocated to every transaction which is how exchange providers turn a profit.
The table below documents the top 10 Cryptocurrency exchanges to date (notice they average more than $2 billion combined in cryptocurrency trades every day):
|Market Share %
*Above figures are current as of August 23rd, 2018
Cryptocurrency Data Breaches
The amount of digital currency and transaction volume that happens daily on these decentralized cryptocurrency exchanges, lead to inherent investment risks to all those who partake. Unregulated processes and incorrectly implemented software features can lead to massive data breaches that can empty cryptocurrency wallet to the tune of hundreds of millions of dollars in an instant. The latest cryptocurrency exchange security breaches to happen in 2018 (Coincheck and Coinrail) were caused by the insecure storage of cryptocurrencies in hot wallets. These wallets are stored online, thus do not carry the same security as wallets that store cryptocurrency offline (cold storage).
It’s regarded as good practice for cryptocurrency exchanges to carry a healthy percentage of their cryptocurrency in cold wallets for liability reasons. What gets exchanges in the habit of carrying more than the recommended amount of cryptocurrency in their hot wallets is to ensure timely payout to meet market liquidity demands. After Coincheck’s $500 million security breach in early 2018, it was found out that inexperienced developers were the cause for the exchanges breach of security that has led to the indefinite suspension of transactions on the site. The Coincheck breach was massive, but the circumstances that surround the breach don’t pertain to all breaches. Hackers can still force their way into a cryptocurrency exchange via alternative routes such as phishing emails and websites. These routes are detailed in the three subheadings below:
Phishing is a cybercrime that takes many forms. It deals with the impersonation of a legitimate organization for stealing a customer’s sensitive information that will then net them considerable income. This is usually done on a one-off basis via customers, but sometimes might happen if the phishing email comes through a company email. If the employee doesn’t identify the email as illegitimate, they might click on the hyperlink that the phishing email contains and allow the hacker to steal sensitive company data, thus giving them access to customer data. Most cryptocurrency exchanges understand how to identify a phishing email, but all hackers need is one person that cannot identify the scam for the phishing email to work.
Another form that phishing scams take on is that of a phishing website. This is essentially a duplicate of a legitimate site that is accessed either by typing the website into the search bar or via clicking on the phishing site’s hyperlink. When traders visit these sites and enter login information, the hacker will automatically obtain all of their transaction verification details and proceed to empty their e-wallets and then some to pad their own in the process.
To deter these phishing attacks from occurring, it’s best to implement robust spam filters on your emails that block emails where the body of the email contains illegitimate URLs. Traders should also be on guard and look for the signs of a phishing email or site by reviewing the spelling and grammar inherent which might differ from the branding that is associated with the legitimate exchange.
Combatting Cryptocurrency Hacks
Cryptocurrency hacks have become more of an issue as the years’ progress. With billions of dollars’ worth of cryptocurrency being stolen over the course of the past few years, there is a consensus in the industry that more needs to be done to combat these breaches. Japan and South Korea have been spearheading government regulations pertaining to cryptocurrency exchanges which might become a global standard in the future. Until that time, there are many ways that cryptocurrency exchanges can learn from the failures of other exchanges that have been hacked and implement controls that will allow them to survive in a sea of hackers.
One such measure that cryptocurrency exchanges can implement immediately that doesn’t require a massive amount of resources is two-factor authentication (2FA). If your site has implemented 2FA, it will send the individual a text upon original login that gives them a code to login to their account. Although 2FA is secure, it isn’t as secure as multi-factor authentication (MFA) which can add on as many authentication resources to the login process. An example of MFA would be for the user to login to the website using their credentials, verify their login via an SMS text code, then verify they are not a robot and/or answer a personal question that they have answered upon account signup. This extra authentication step can be the saving grace for users if there happens to be a site breach.
Another step that should be taken to combat cryptocurrency hackers is the creation of hot and cold wallets. Both wallets store cryptocurrency, but they do so in different ways. A hot wallet stores cryptocurrency online in a way that allows for convenient, fast transactions between traders. A cold wallet stores offline and takes longer to recall but is highly encrypted. It is good habit for cryptocurrency exchanges to keep a sizable amount of assets in cold wallets, but due to the increased demands of cryptocurrency trading, some exchanges prefer to keep most of their assets in a hot wallet. This is highly risky as the money withdrawals from hot wallets do not require the same administrator approval that cold wallet withdrawals do. This lack of disregard for security when handling millions of dollars in cryptocurrency can lead to breaches that could have been easily avoided if the appropriate protocols and standards were implemented.
Implementing policies and protocols without a guide can be daunting and nearly impossible to accomplish. It was for precisely this reason that the Cryptocurrency Security Standards (CCSS) were introduced to the cryptocurrency industry in 2014 with the purpose of standardizing the protocols related to securing private keys. CCSS was compiled by security auditors, researchers, and principals from a variety of companies and is the go-to standard for companies that handle and manage cryptocurrency wallets.
The CCSS compliance certification is broken down into three distinct levels (I, II, and III), and are based on a list of 33 unique controls. These 3 levels of increasing security that comprise CCSS are: Level 1, Level 2, and Level 3. The levels each have their own focus and the higher the level of compliance your organization maintains, the more prestigious it will be seen by virtual currency investors. Let’s take a closer look at them in the following subheadings:
The focus of Level 1 CCSS compliance is to maintain the confidentiality of the trader. To become Level I compliant, exchanges must prove that 19 of the 33 security controls are being maintained at all times. Level I CCSS security is achieved when a cryptocurrency exchange has proved that the keys that are being created are being used by the person that is supposed to be using them. It is preferred that the keys are generated by a site administrator via an offline encrypted database to ensure the appropriate security. From there, the key is transferred onto the targeted device for use and promptly deleted in a secure fashion by the exchange via the use of CCSS-compliant data sanitization techniques.
Level II CCSS compliance is geared towards the validation of the key generation methodology. To become Level II compliant, exchanges must prove that 28 of the 33 security controls are being maintained at all times. The software that generates keys to be used for virtual currency exchange transactions need to be focused on that single task and not be allowed to store or transmit the key seed information to another entity. Organizations wishing to become Level II compliant must submit to an audit of their software which will need to generate a digital signature that can be validated prior to transaction execution.
To become Level III compliant, exchanges must prove that all 33 security controls are being maintained at all times. Level III compliance calls for the deployment of advanced authentication methodologies that are utilized to authenticate and assets. The authentication data must be able to pinpoint the source of the transaction both geographically and organizationally. Key holders must also undergo background checks to ensure that they do not pose a security threat to the viability of the exchange.
The cryptocurrency industry is not free from risk or theft in the least bit. If a breach occurs on a cryptocurrency exchange and money is stolen, it’s most likely never going to be returned unless the exchange maintained a bulk of its assets in cold storage. Achieving CCSS compliance is a sure-fire way to give exchange users the ability to feel more comfortable in using your exchange to trade cryptocurrency. It is interesting to note that all systems that have succumbed to high-profile cryptocurrency breaches have all been found to have failed to comply with CCSS Level I. Cryptocurrency exchanges that incorporate CCSS into their organization must ensure that they use it to supplement their other cybersecurity protocols rather than think of CCSS as its sole means of protecting their operations.