How to Handle Exchange Security by Taking it Really Seriously?

@ md-ataullah-khan Md Ataullah Khan SEO marketer with an experience of 7+ years.

Photo by Paweł Czerwiński on Unsplash

Exchange security compromises more than just securing the tokens that are being traded. Exchanges have two main things to worry about: user funds and user data. However, both have many ways to be compromised, such as hacking the exchanges’ wallets, the absence of fallback mechanisms or thorough security measures, phishing or, as the following case study shows, through APIs.

reactions

Case Study: Binance 3rd Party API Hack

“On Mar 7, UTC 14:58–14:59, within this 2 minute period, the VIA/BTC market experienced abnormal trading activity. Our automatic risk management system was triggered, and all withdrawals were halted immediately.”

reactions

This message was sent out due to a large scale phishing and stealing attempt. The Binance API itself was not compromised, but a 3rd party trading bot was. This trading bot holds the API keys from Binance to allow it to make buy and sell offers on the user its behalf. However, due to a security issue with this 3rd party bot, hackers were able to get access to multiple accounts.

reactions

The reason I’ve picked this use case is to show that an exchange has to think also outside of internal systems.

reactions

In this case, the hackers knew in advance they cannot withdraw through the trading bot, so before the hack, they bought tons of VIA coin and used the trading bot hack to pump it and sell on a higher price.

reactions

Luckily, Binance has detection algorithms in place that were able to detect this suspicious behavior change for VIA coin and halted trading for the coin.

reactions

Besides the detection algorithms, they have a fallback mechanism in place to renew all API keys so further damage could be prevented.

reactions

Binance API hack is not the only recent example… In January this year, Cryptopia exchange got hacked for $16 million worth of Ether and ERC-20 tokens. Cryptopia lost access over its wallets and only after two weeks following the initial breach, the exchange regained control. Cryptopia had no fallback mechanisms in place to assure continued access to their wallets.

reactions

Whereas Bitstamp got hacked for over $15 million worth of coins for the 3rd time in two years, and I’m quite sure most of you heard about the Canadian QuadrigaCX scandal in which the founder lost the private keys holding over $130 million.

reactions

As we can see, some exchanges perform well, but many don’t. There is definitely a need for improved crypto exchange security with better fallback mechanisms and faster response/detection systems to protect investors but also exchanges.

reactions

Best Practices: CODEX Exchange Demonstrates How It’s Done

CODEX Exchange is a licensed cryptocurrency asset exchange based in Estonia which has received the highest, 10 / 10, web platform security ranking by Hacken penetration test.

reactions

CODEX takes security very seriously as they use EdDSA cryptography and do not store any API secrets to absolutely minimize the risk of getting comprised via their API. Like Binance, they hold an internal anti-fraud system that detects unusual behavior like sudden large sums withdrawals.

reactions

Furthermore, CODEX conducted an interesting multi-stage security audit. While the first stage is an internal security audit and the third stage is a bug bounty program which is standard, it is the 2nd stage, an external audit performed by Hacken, that interests me most.

reactions

Hacken Security Audit

Hacken tackles the process of performing a security audit for an exchange by taking 3 steps:

reactions

The first step consists of testing the overall security of the systems by using the best practices presented in the Open Web Application Security Project (OWASP).

reactions

The second step consists of gathering intelligence about the target, trying to detect and identify possible threats that can be exploited.

reactions

The last step is to test possible exploits and to convert the findings into recommendations to address weak security measures.

reactions

Hacken was only able to find a couple of medium-to-low risk issues in CODEX’s website and web application. No major design flaws. This amazing result made Hacken award a 10/10 rating to CODEX Exchange.

reactions

How Else Can You Protect Your Exchange?

While CODEX’s security practices are to be learned from, other exchanges in the cryptocurrency space are demonstrating important security practices, such as the following:

reactions

Two Factor Authentication with Cookies

Of course, it makes sense to implement Two Factor Authentication. However, this can be leveraged by using cookies. Cookies are used to track IP addresses which are whitelisted for logging in. The cookies can also be used to track whenever a new device or IP is used to log in via Two Factor Authentication.

reactions

Whenever a new device is detected, this device needs to be whitelisted via email or SMS verification that this is actually your device. If you are not able to prove you own this device, it needs to be blocked.

reactions

Implemented by: Many exchanges like Binance, Bitstamp.

reactions

Offline Storage

The most secure exchanges combat the threat of hacks by storing the vast majority of their digital assets in secure, offline storage. To set an example, Coinbase stores 98 percent of its customers’ holdings in offline storage using FIPS-140 drives and paper backups.

reactions

Also, a new trend tries to introduce the trading directly from hardware wallets as it’s supposed to be much safer. Trezor wallet supports this functionality since September 2018, but also new protocols are being developed to use this on a wider scale like exchange level.

reactions

Implemented by: Coinbase, …

reactions

Crypto Address Whitelisting

An alternative method to creating an address book is creating a list of whitelisted crypto addresses you trust and only allow transactions back-and-forth these addresses. Currently, Coinbase offers this as a Pro feature which you can enable. However, I believe this should be a security measure every exchange offers by default.

reactions

Implemented by: Coinbase Pro

reactions

Conclusion

Keeping an exchange secure requires much more than just verifying the internal systems’ security. If we consider what happened via the Binance API, an exchange should be aware of the potential risks of every service it offers or exposes.

reactions

Exchange security is a rigorous process that concludes code assessments, integration testing, penetration testing, but also UI testing. CODEX Exchange perfectly understood this need for exchange security and implemented this successfully.

reactions

It’s great to see that some exchanges do invest time into exchange security like CODEX Exchange that got a 10/10 rating on hacken.io.

reactions

Share this story @ md-ataullah-khan Md Ataullah Khan Read my stories SEO marketer with an experience of 7+ years.

Tags