How Can Exchanges Gain Back Users’ Trust?
Another week, another major hack of a crypto exchange. Specifically, the New Zealand-based Cryptopia just suffered a loss of over $180k in ether, just the latest in the wave of ongoing problems plaguing crypto exchanges. Not to mention Quadriga and the devastating loss of private keys and inaccessible balances to the tune of $190M.
News like these are the groundhog to our Crypto Winter, spotting its shadow and dragging it on forever.
Operational security is essential. Kris Coward, Shyft’s Chief Scientist, recently published a piece in HackerNoon about the need for greater security in crypto exchanges, and how Shyft has the potential to make these exchanges a lot more secure. Let’s lay out five of the major solutions Shyft has to offer.
The cost factor: Make attacks too expensive to carry out
A major part of security is making data theft simply not worth the effort. Exchanges become easy targets, because they’re sitting on a goldmine of personal user data and private keys. But more data isn’t always better, and as centralized entities, they’re vulnerable.
On Shyft, the responsibility for holding user data is distributed across various Trust Anchors — major institutions (banks, government departments, etc.) with heavy-duty security systems, and they are going to be the ones holding that sensitive data. All of a sudden, the cost and risk of pulling off an attack that gains access to information of value has just gone up astronomically. There’s simply a lot less for attackers to steal.
Catch threats before they’re threats
The problem with the current security model not only for exchanges but for the internet more broadly is that it’s strictly reactive rather than proactive. And despite exchanges taking measures to protect user data and funds, they are inevitably targeted.
On the Shyft network, a key piece of our architecture, called the Bridge, monitors the health of the network and looks for certain behavioural patterns commonly associated with malicious user activity. If and when a threat is detected, the network can immediately notify exchanges and, if required, drastically slow down or even stop block confirmations until the threat has been resolved.
Don’t do what Quadriga did: Private keys management, attestation and revocation
Shyft’s attestation and revocation model offers a unique set of safeguards against the potential theft of funds. “Attestations” are defined as datasets that verify aspects of a user’s online identity or set of credentials/identifiers, such as age range, country of residence, etc. (More on this here)
In Shyft model, when a user becomes aware of a potential security issue compromising their private keys, they can notify the network and issue a temporary or permanent revocation order, ensuring that the exchange will no longer trust the identity associated with the private key.
Once the user has determined whether or not the coast is clear, they can make the appropriate move — either notify the network that the current key is permanently burnt and ensure that it’s blacklisted, or (in the case of a lost, then found, cellphone containing the private key information). This feature ensures that in the event that a user’s key is compromised, they’ll have a handy mechanism to freeze their assets.
Minimize the damage from successful attacks
One of the more shocking things about hacks like the one Cryptopia suffered is just how powerless exchanges appear: there’s no recourse. Weeks after the breach is initially detected, the losses keep mounting.
In the case of a malicious attack, Shyft Bridge can not only slow or stop block confirmations, it can roll back the state of the chain to effectively “undo” the theft.
Moreover, it contains built-in mechanisms that incentivize nodes on the network to help with restoring the infected data. These incentives also go to making users who have lost funds whole again.
Reducing costs and unlocking new revenue streams
Shyft’s attestation functionality, real-time audit trail, and sets of credentials that can be proven and have a transaction history attached to it opens up new revenue streams. For the first time, there’s a secure trust infrastructure available that can reduce the complexity and cost associated with performing KYC checks, and any other checks on the validity of credentials or sets of privileges.
Because user behaviour and attestations are legibly indexed, costs associated with lookups and other routine tasks can be significantly cut down. Users and dApp developers could access sets of attested, verified data, with strong user-consent framework built in, and remain compliant without storing that data and becoming yet another data breach news headline.
We need exchanges — and all the companies in the crypto space — to take a closer look at how they deal with data.
We believe these features, among many others on Shyft Network will become the new industry standard. We need exchanges — and all the companies in the crypto space — to take a closer look at how they deal with data. We recommend following these three principles as a starting point:
- First, don’t collect any data that is not mission-critical
- Second, consider the costs of processing and storing that data. The best way to prevent hackers from accessing your central databases is to look into holding and accessing that data in a decentralized, federated way
- Third, make sure you stay on top of technological advances that help prevent the attacks.
Going forward, there will only be more data, not less. As more services come online, and as we build the internet of value, crypto industry must stop putting users’ privacy — and funds — at risk.