I’ve been getting too comfortable leaving cryptocurrency balances on exchanges. With the recent hack of Coincheck where 500 million NEM tokens were stolen , I moved some balances over to my wallets. When I first got started, I would move balances immediately. Over time, I got lazy. In some ways, this hack is an excellent wake-up call for good, safe practices.

I use Binance for most of my trading. Can Binance get hacked? Of course. Can I assess their website security? Yes, at least a little. Ripple News reported earlier this month that a “well-known” cybersecurity company said Binance’s security is poor. They were referring to the work of security expert Scott Helme. I googled Scott and found his website. He’s in the security business. He created the website SecurityHeaders.io. I ran Binance’s website using his service and got a D grade.

The specific problem areas noted are:

Content-Security-Policy. Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. X-XSS-Protection. X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value “X-XSS-Protection: 1; mode=block”.

X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value “X-XSS-Protection: 1; mode=block”. X-Content-Type-Options. X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”.

X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”. Referrer-Policy. Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

I ran other sites using his service. Apple.com got a C. Google.com and Amazon.com each got Ds too. Of course, his website got an A+. His work could be biased so I checked one more source from one of the most respected nonprofits in the tech space, Mozilla. They have a tool called Observatory which I used to check Binance. That service gave Binance a C.

The worst part of that C score came from an unimplemented Content Security Policy. Mozilla notes:

Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites. The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript — either reflected or stored — means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site. Note that disabling inline JavaScript means that all JavaScript must be loaded from <script> src tags . Event handlers such as onclick used directly on a tag will fail to work, as will JavaScript inside <script> tags but not loaded via src. Furthermore, inline stylesheets using either <style> tags or the style attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.

I think the key sentence above is “The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities.” If that indeed is the best method, it should be implemented! Google and Amazon both got a D and Apple got a C on Mozilla’s tool. Amazon, for instance, has a cookie risk where they don’t set session cookies without using the HttpOnly flag. Mozilla also gave SecurityHeaders.io an A+.

While this is not a definite stance on Binance’s security, it does point out that legitimate security measures that can help lock down a site have not yet been implemented. No matter how safe your individual login may be with two-step authentication, if a hacker gets access to the right part of the server, you could still be at risk.

Binance’s Terms of Use

I read through the Binance Terms of Use. Section 2 covers account security. Basically, I am solely responsible for the safekeeping of my own account. Standard stuff. Section 5 covers liability. It starts with:

BINANCE will provide BINANCE Service at an “as is” and “commercially available” condition. BINANCE disclaims any express or implied warranty with regards to BINANCE Service, however, including but not limited to applicability, free from error or omission, continuity, accuracy, reliability or fitness for a particular purpose. Meanwhile, BINANCE disclaims any promise or warranty with regards to the effectiveness, accuracy, correctness, reliability, quality, stability, completeness and timeliness of the technology and information involved by BINANCE Service. You are fully aware that the information on BINANCE is published by users on their own and may contain risks and defects. BINANCE serves merely as a venue of transactions. BINANCE serves merely as a venue where you acquire coin related information, search for counterparties of transactions and negotiate and conduct transactions, but BINANCE cannot control the quality, security or legality of the coin involved in any transaction, truthfulness or accuracy of the transaction information, or capacity of the parties to any transaction to perform its obligations under the transaction documents.

I bolded a key sentence. Sure sounds like there is no warranty which also makes sense. A Binance Reddit account did address security in this post but didn’t respond to questions on insurance. If they get hacked I haven’t found any information that would force them to compensate lost funds. This also makes sense. Trade at your own risk.

Bottom Line…I still feel safe-ish but now more cautious about leaving balances on any exchange

Over the years, I’ve done my share of security checks on servers I’ve set up and systems I’ve built. I’ve been able to break into my servers from time to time, and then used that learning to make my setup more secure.

I do know there are tons of people trying to hack into servers every single day. Take my blog for instance. I launched this site just a few weeks ago and I already have HUNDREDS of attempts by hackers to gain access to my simple, little blog that doesn’t have any type of commerce. Check out the graphic above of the attempted hacks that were stopped just this past week.

If hundreds of attempts are made on my brand new blog, imagine the attempts made on sites like Binance. Now imagine that you work for Binance. How quickly has that company grown! Can you imagine what operations could be like? Kevin Mitnick’s quote is more than relevant: “Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.”

I will continue to trust Binance with my trades and feel it is secure for my individual use. But systems are not hacker-proof. While these grades given to Binance may not be totally fair, it does remind me that not all that can be done has been done to secure my money. I’ll try to never get lazy again and leave balances on exchanges.