Cryptocurrency Exchange Security
Historically, exchanges have been the most vulnerable point of cryptocurrency infrastructure. Attacking them is more profitable and cracking them for a long time was often easier than regular wallets. With the release of cryptocurrencies into the “big world”, security requirements have also grown. Now exchanges promise customers reliability comparable to online banking resources. Nevertheless, reports of hacks and thefts constantly appear in the news feeds. As in fact, the situation with the security of cryptocurrency exchanges, what protection methods are used and how effective they are, we analyze further.
It seems that the basis of the security problems of cryptocurrency exchanges is a certain deep conviction of both users and administrations that the cryptocurrency will protect itself. This leads to neglect of the vulnerabilities of resources on the part of management and a frivolous attitude to the security of wallets by users. As a result, crypto exchanges are hacked mainly in two ways - through technical vulnerabilities or through methods of social engineering.
At the end of last year, analysts from the United States studied 135 large exchanges and found that units of them more or less comply with security standards. The highest rating “A +” did not receive a single resource. Two exchanges (Kraken and Cobinhood) received "A", the rest - from "A–" and less.
The assessment process identified potential vulnerabilities in user accounts, domain and web protocols. The results are disappointing.
Web protocols in the number of vulnerabilities take the last place. Receptions against the most common hacker attacks are implemented on 40% of exchanges. The remaining 60% are susceptible to MITM attacks (when the hacker interferes with the data transfer protocol secretly from the transmitting nodes), POODLE attacks (when the victim's traffic is intercepted), and many others.
In second place are domain and registrar vulnerabilities. The situation is sad: a little more than 3% of exchanges use the recommended minimum means of protection for financial resources.
The absolute leaders in terms of the number of vulnerabilities are user accounts. In almost half of the exchanges, the password can be set only in letters or letters and numbers; many where there is no function of automatically logging out of your account; for more than 20% of the resources, the user cannot additionally confirm the transaction. On 5% of sites there is no two-factor authentication, and on 2%, you can do without confirmation of registration by phone or email.
We are talking about the 135 largest resources. One can only speculate about the level of security at small exchanges.
This adds to the frivolity of users. If the site allows you to set the password "0123456" or "qwerty" - such passwords are guaranteed to be used. If the site allows you to not confirm the entrance - most users will not even think about enabling two-factor authentication.
There is nothing to talk about phishing, which is one of the main reasons for hacking exchange accounts. Users not only follow the links in a letter that allegedly came from the exchange, but also willingly enter usernames, passwords, seed phrases and other personal data on sites that visually resemble a familiar resource.
The concept of autonomous and distributed financial services is somewhat experimental and volatile at the moment.
There is currently a conscious attempt by the new crops of DeFi solutions to create improved infrastructures that would make DeFi more inclusive. This trend has spurred the creation of bridges between…