BY CNA team - October 4, 2018
Crypto exchange security report reveals shortcomings
A report on the security of cryptocurrency exchanges shows that much can still be done to make them more secure, especially in the wake of a slew of hacks this year.
ICORating, a New York-based research outfit, recently published a report assessing the security measures of 100 exchanges with a daily trading value exceeding US$1mil against a set of four potential vulnerabilities and how these could impact the exchanges and their users.
The four vulnerabilities it considered were console errors, user account security, registrar and domain security and, web protocols security.
After analysing the 100 exchanges based on the measures they have taken against these vulnerabilities, Coinbase Pro, the exchange operated by Coinbase topped the list of exchanges with a score of 89 points from a possible 100 points.
Another US exchange, Kraken, came in at second, with 80 points while the Hong Kong-based BitMEX came in third with 78 points.
Of the three better known Chinese exchanges, Binance, also the largest exchange globally, came in at 17th with 63 points, OKex at 42nd with 47 points and Huobi at 47th with 46 points.
It found that 32% of exchanges have code errors, which leads to certain defects in operation that while not critical, could lead to data loss.
In user account security, it found that only 46% of exchanges meet the four parameters for a secure user account.
The four parameters assessed were the possibility of creating a password with fewer than eight symbols, possibility of creating a password with either digits or letters alone, email verification following account creation and, presence/absence of two-factor authentication.
In registrar and domain security, only 4% of exchanges were found using best practice in four of the five best practices listed for assessment: registry lock, registrar lock, role accounts, expiration and Domain Name System Security Extensions.
In web protocols security, the assessment was made to see whether exchanges possessed the five headers that ensured protection against various attacks.
The five headers used for the assessment were the Strict-Transport-Security header, X-XSS-Protection header, content cecurity policy header, X-frame-options header and the X-content-type-options header.
ICORating says only 10% of exchanges have all five headers, with 29% not having any of the five and only 17 of the 100 having a content security policy header.
Meanwhile, it estimates that over the past eight years, some US$1.3bil have been lost through hacks involving 31 exchanges.