Cryptocurrency exchange security:

Security culture should be everything to your team.

Security in cryptocurrency including exchanges and ICO’s is not an option, it’s a requirement.

Cryptocurrency exchanges are platforms that allow users to trade coins. Until very recently, and the development of pure decentralized exchanges, all cryptocurrency exchanges act as the middleman between the token buyer and seller.

Making sure these platforms are secure are essential to provide data and asset security to users. Let’s see why.

Why is security important to digital currency exchanges?

But let’s just think about a couple of critical points for exchanges:

• Exchanges store a massive amount of valuable Personally identifiable information (PII). From names to addresses, to government identification details, taxpayer identification number and a lot more.
• Exchanges handle of course a lot of cash or coin deposits and withdrawals.

Examples of successful hacks are countless. The most famous is probably the Mt.Gox hack that left thousands of users without a penny (worth $450 million at that time and x times more today). But others faced similar outcomes: Bitfinex got breached for over 120K BTC, or Youbit and their $70Mio bankruptcy, or Nicehash and their $68Mio breach.

At Sqreen, we monitor and protect several crypto exchanges, ICOs, and companies involved in the crypto/blockchain space more generally. What we see is that the percentage of malicious requests that these applications have to handle is higher by 2–3 orders of magnitude.

Most times hacking occurs from exploiting humans through social engineering techniques. With a little charm, persistence and personal information a hacker can call your phone company, impersonate you and have the phone company enable visibility into your text messages via a web portal exposing your sms or forwarding your phone number to gain access to your secured accounts. This can all occur without ever touching your phone. This is real not a what if. These types of hacks happen everyday.

Other attacks can occur if computers are stolen, sensitive information such as public keys are discovered on chats (like this one) or passwords and other sensitive information is shared in unsure channels.

Internally understanding and implementing security protocols and applying best practices is critical to prevent vulnerabilities. Attackers regularly target individual users who don’t have a full-time security team around to help with the response and aren’t prepared to resist an attack.

Some of the recommendations to prevent being exploited when securing a system while developing or using third parties are as follows:

You should always use 2FA (two factor authentication) to beef up anti-phishing protection.

Avoid using password conventions. For example: ryan1234a, ryan1234b, ryan1234c, etc)

> SMS
★★
This process sends a code to your mobile phone and requires user to enter that code before the timeout. This is the least secure method as outside vendors can be manipulated by hackers creating a backdoor for hackers.

> HOTP
★★★★
HMAC One time password. Hash Message Authentication Code (HMAC) is a standard protocol where a message is hashed to secure the transaction. HOTP generates a one time password and validates against the signature.

> TOTP
★★★★
Time-based one time password. This is growing in popularity with a myriad of authenticator apps such as Civic and Google Authenticator. TOTP server generates a temporary, unique passcode that only works for a certain amount of time, typically 30–60 seconds. The user scans this passcode via QR registering a connection between the user and system.

> U2F
★★★★★
Universal second factor. Hardware. This is the most secure method, however costly to deploy.

> JWT

★★★★
JSON web token. When using JWT tokens, be sure to use HMAC signatures. Use session storage for persistence (do not use local storage). Rotate secrets to prevent revealing patterns.

Always verify the signature before you trust any information in the JWT. This should be a given, however its common people forget. When passing in the signature always check it for authenticity before allowing the function to proceed.

Avoid replay attacks and reuse of JWT tokens. to avoid replay attacks, include a nonce, expiration time and creation time in the payload.

> Monitor IP Activity
★★★★
Log all request activity including headers, UA and IP addresses. Track current / active device of IP addresses. Require 2FA check when foreign activity is surfaced.

> Request Method

★★★
Avoid POST requests when you can to reduce sniffing or exploiting data structures on client side.

This is particularly important for anything involving credit cards (crane payment systems) or crypto (access to accounts)