Using Switcheo Securely

Hi everyone,

In light of the recent DNS attack on MyEtherWallet (MEW), the Switcheo team hope to share with our users some insights on how to keep yourself safe while trading on Switcheo Exchange and reiterate on the best practices when using cryptocurrencies in general.

As most of you know, being a decentralized exchange, Switcheo’s login strategies are similar to that of MEW and other online wallets, so it is important for our users understand how to protect themselves.

Summary of MEW incident (24 April 2018)

Users whose computers were configured to use Google’s public DNS servers were directed to a malicious page owned by the attackers when accessing from their browsers.

As the attackers did not possess a valid SSL certificate, these users were presented with an invalid certificate warning by their browsers. Users who further ignored the warning and clicked the Advanced > Proceed Anyway (Unsafe) button, and then proceeded to key in their Ethereum private keys had their wallet funds drained by the attackers. An approximate USD$150k worth of ethers was lost this way.

DNS poisoning or spoofing on a large scale is generally an expensive attack, and the attackers are thought to be sophisticated agents based on the way the attack was carried out (compromising of an ISP), combined with the fact that there was a large amount of funds already present in their wallet.

How we protect you

One of the key mistakes made by MyEtherWallet was their failure to add a security measure called HTTP Strict Transport Security (HSTS). This forces browsers to only use HTTPS when accessing the site, and more importantly, disallow users from bypassing any warnings. This would have prevented almost all of the funds from being lost.

Switcheo Exchange has implemented the HSTS headers, and have submitted our domain to the preload list previously (so new users will immediately use these rules as well). Therefore, we are assured that such attack will not succeed on (MEW has since also implemented said headers.)

The web’s DNS (domain name service) infrastructure is actually one of the oldest decentralized technologies in existence. However, because it was built at a time when the web was not available to the general public, participants were assumed to be trusted, and security was not a major concern. Today, however, we know that there are many ways that can this infrastructure can be exploited.

There are many newer web features that have since tried to improve on these these issue. Here are some of them which we have implemented:

CAA — We have implemented long lasting CAA records that will restrict issuance of SSL certificates to certain certificate authorities. This will increase the complexity of an attack with a valid certificate by preventing CAs and automated services such as LetsEncrypt from quickly provisioning certificates through DNS validation when the DNS service is compromised.

DNSSEC — DNSSEC is a recent extension to the DNS protocol, and we are actively looking to implement it. Due to the lack of support on AWS, our current DNS provider, we will need to use a different provider to implement it.

Extended Validation — EV SSL certificate enables browsers to show a company name beside the green lock on the address bar. In response to the breach, we have also begun provisioning a EV SSL certificate for our exchange domain. This will give users a second factor to check against, as it is generally harder and takes a longer time to provision an EV certificate. This will also increase the difficulty and reduce the impact of a similar attack.

In addition to these measures, we will be releasing other ways of interacting with the Switcheo DEX, which will include the Ledger Nano S, an “offline” mode and a packaged release of a desktop application. However, we are not yet ready to announce more specifics at this point of time, as much of the development is still in progress.

We are also happy to inform everyone that we had already started a contract with HackerOne, who will be managing our vulnerability reward/bug bounty program. They will also be providing us with a team of crowd-source hackers to constantly find and report any weaknesses in our security.

How to protect yourself

  • Never click through or ignore warnings! Always read the warnings and understand what they entail. If you do not understand a warning, you should either find out more or simply not use the service.
  • Always type in website addresses manually when accessing an important/high value site or wallet. Bookmark such sites after accessing it the first time for quicker and safer access.
  • Do not click on ads from search engines to access important websites; These ads may not always give you the legitimate address of the website you are searching for. This is also a common phishing strategy by attackers.
  • When accessing a site for the first time, authenticate that you have used the correct address from multiple sources such as Reddit, Twitter, and other 3rd-party references. One such 3rd-party reference is Cryptonite by MetaCert. When accessing Switcheo Exchange and other verified domains, you should see a green bar when using this extension. Do note that this just means the address is certified to not be a phishing domain, but it does not validate the contents of the page in the event of an attack.
  • Use a hardware wallet where possible for trading. Switcheo Exchange supports the use of the Ledger hardware wallet, and that is our recommended way of trading on our decentralized exchange.
  • Use a hot wallet for daily use and a cold wallet for holdings of large amounts of assets. Hardware and paper wallets with proper backups are a good choice for cold wallets.
  • Security is a layered defence. Even chrome extensions like MetaMask can be phished by a determined attacker. If you are a very active trader, consider using a separate trading wallet to minimize risks in the event that all else fails.

Remember that the weakest link in security is human, not technology — so please stay safe!

For more information on Switcheo, visit the following links:
Twitter : @switcheonetwork
Reddit: /r/switcheo
News & Updates:

CEO of Switcheo | Follow me on!