54% of cryptocurrency exchanges have security vulnerabilities says a report by ICORating

It cannot be denied that the cryptocurrency market is still in its early stages, and therefore, it is yet to develop to a stage where it becomes a part of mainstream financial systems and there are comprehensive rules to govern its operations. At present, the crypto-sphere is largely self-regulatory, an attribute that has its pros and cons. Such a self-regulatory system while on hand offers the opportunity for uninhibited innovation and growth, on the other hand, it leaves a lot of scope for fraud and attacks.

In the current cryptocurrency ecosystem, exchanges play a crucial role in enabling users to interact with cryptocurrencies. Since cryptocurrency exchanges are such an important component of this ecosystem, it is unquestionable that they have to be robust enough to provide maximum security to their users against attacks. However, that is not the case. Between 2010 and 2018, about 31 crypto exchanges have been hacked, which has resulted in a loss of around $1.3 billion.

In a study conducted by ICORating.com which was published on October 2, it was found out that more half of the cryptocurrency exchanges were doing poorly in terms of security. They had at least one major security hole, among which, the most common were -

1. 32% of exchanges have code errors, which leads to certain issues in operation such as data loss.
2. 41% of exchanges are fine with passwords containing fewer than 8 symbols
3. 37% of exchanges do not require passwords to have special characters; They allow passwords with either digits or letters alone
4. 5% of exchanges have not made email verification a mandatory part of account creation
5. 3% of exchanges do not use 2-factor authentication (2FA)

Thus, there are only 46% exchanges which have enforced all the four parameters for ensuring strong security — passwords of more than 8 symbols, complex passwords with special characters, mandatory email verification for account creation and 2FA.

When it came to the registrar and domain security, only 2% of exchanges were using registry lock, while only 10% of exchanges were using DNSSEC. Upon analysis, it was found out that only 4% of the exchanges were following best practices for ensuring registrar and domain security.

Web Security Protocols were also found to be lacking in several exchanges. Only 10% of exchanges have all five headers — Strict-Transport-Security header, X-XSS-Protection header, Content Security Policy header, X-frame-options header and X-content-type-options header. Surprisingly, 29% of exchanges were found to have none of the above-mentioned headers.

Thus, it is not surprising to see cryptocurrency exchanges getting frequently since they fail to comply even the most basic security protocols such as strong passwords and 2FA. The importance of complying with the best practices for security cannot be emphasised upon enough. Strong security will enhance not only enhance the confidence of users, but also that of regulatory bodies which have been sitting on decisions around approving cryptocurrencies and related infrastructure because of their concerns regarding issues of security.