Cryptocurrency exchanges are under pressure to improve security practices to mitigate future cyberattacks and scams after losses of more than $3billion in 2020.
Malicious attacks have become increasingly more frequent and sophisticated, causing significant financial loss and serious PR issues for the entire crypto asset market.
According to Ben Zhou, co-founder and CEO of crypto trading platform Bybit, exchanges need to better address areas of vulnerability and apply multiple layers of security for penetration testing in order to combat potential hacking threats.
Here Zhou discusses why cryptocurrency exchanges are being targeted and how the right investment can prevent potential data breaches internally and externally.
Security incidents of cryptocurrency exchanges are occurring more regularly, and thieves have begun to wise up to some of the more ‘basic security protocols’ that some exchanges have employed.
One of the more widely reported cases was that of Japanese Bitcoin exchange Mt. Gox, which collapsed in 2014 after losing $460million to hackers. The ramifications of the case still continue to this day. As the popularity of crypto and the volume of trades increase, so does the appetite of hackers looking for an opportunity to score a payday.
Bitcoin, one of the more widely known and traded cryptocurrencies, has been the preferred digital asset of choice for scammers in recent years. In 2016, hackers stole $72million worth of Bitcoin from exchange Bitfinex and in 2018, hackers stole $500million in digital tokens from exchange Coincheck. At the tail end of last year, approximately $40million worth of Bitcoin was stolen from Binance, through a single transaction.
The crypto world was also thrust into mainstream news last year following a high profile Twitter hack that saw hackers taking control of accounts from a list of ‘who’s who’ of wealthy or well-known individuals and companies, including Barack Obama, Bill Gates, Elon Musk, Joe Biden, Warren Buffett, Jeff Bezos and Kanye West.
Hackers invited their followers to deposit Bitcoin into a particular account with the promise of receiving double their money in return. Even Apple and Uber were drawn into the fray. Although this specific scenario appears to have been a quick and dirty money heist, the scam netted more than $120,000.
Meanwhile, in September 2020, cryptocurrency exchange KuCoin reported a major security breach affecting Bitcoin, Ether and ERC20 hot wallets to the tune of $280million.
Security concerns and the subsequent negative media coverage often become the centre of attention, with a reported $1.7billion in cryptocurrency stolen over the years, most of which have come from exchanges either based in, or centred around Asia.
Why are cryptocurrency exchanges being targeted?
The reason is quite simple: because they can. Cryptocurrency exchanges have been plagued by malicious attacks since the first exchange launched over a decade ago. Over time, these malicious attacks have become increasingly more frequent and sophisticated, causing significant financial loss and serious public relations issues for the entire crypto asset market.
The main issue, however, is that most exchanges act as a centralised single point of failure, which in most cases are vulnerable by design. As a centralised web application programmed to execute specific transactions, exchanges are susceptible to the same security issues and concerns as all other websites.
In addition, the vast majority of cryptocurrency exchange servers and storage networks preserve live pools of digital currency in hot wallets. However, if the hot wallets are not properly protected or if the application functions, such as mobile app access, terminals, data repositories and application programming interfaces (APIs) on the backend lack the sufficient security controls, the cryptocurrency held within hot wallets could be vulnerable to theft, making them inviting targets for cybercriminals.
With regards to security, there is no doubt that a cold wallet system is vastly superior to hot wallets. Even though both wallets store security keys and codes, the fact that hot wallets are connected online make them more vulnerable to potential hacking threats or scamming attempts. Cold wallets on the other hand, are not connected online, making them a significantly safer and more stable option. The only downside is not being able to make large withdrawals from an exchange immediately. But which would you rather have, immediacy with a considerably higher risk factor or a slight delay with assurances that your cryptocurrency is safe?
How can cryptocurrency exchanges better mitigate security risks?
Investing in security should be one of the highest priorities on an exchange platform’s agenda, especially if it operates online. The extent of security investment reflects the overall security commitment and capabilities of a company. On average, most of the leading cryptocurrency exchanges spend around 15 per cent, with some increasing investment in security to 20 per cent or more. Though spend shouldn’t be the only factor for consideration; it’s just as important to adopt and adhere to best practices in cybersecurity and risk management.
In order to combat potential hacking threats, exchanges need to better address areas of vulnerability and apply multiple layers of security for penetration testing, in order to better assess the effectiveness and preparedness of the security system’s defences. Any security system employed should also cover privacy and information protection across all points of interaction with the exchange. Put simply, this means protecting a user’s data and information throughout from account registration, login, trading, to any information exchange with the platform.
This can be accomplished by applying best practices for application lifecycle management, hiring knowledgeable and reputable security consultants for penetration testing and running bounty programs within the white hat community to identify any potential vulnerabilities. It’s also recommended that cryptocurrency exchanges work with reputable security audit institutions to carry out security audits, apply strict management processes, and invest in zero-trust architecture, whereby all access to a service requires verification in order to prevent any potential data breaches internally and externally. This drastically reduces risk as a result of human error.
There are a number of bespoke security solutions that can be externally sourced and applied from reliable vendors. However, if the exchange has the right talent, experience, expertise and capabilities, solutions can also be developed in-house, which could provide better oversight over potential security concerns.
At Bybit, we put our customers above all else and have invested considerable resources in developing and enhancing our own security protocols and solutions. We have implemented an industry-leading, multi-signature HD cold wallet system to guarantee the safety of our traders’ funds. We would rather sacrifice some user experience to ensure asset security.
When it comes to combating potential hacking threats and internal control management, we organise and conduct multiple red alert scenarios and bounty programmes with the white hat community to ensure there are no system vulnerabilities. Even when it comes to withdrawals, we subject any requests to at least three layers of risk-control verifications. Crypto asset consolidation among cold wallets follows the strictest policy, including physical environment security, system security, encryption techniques, operation authentication, monitoring and audit.
As the industry gradually matures, we expect many more cryptocurrency exchanges to continue to innovate for the benefit of traders. Investing in, and ensuring the implementation of the right processes, protocols and relevant security measures will be a necessity in order to insulate traders from potential hacks and security breaches. Those that don’t keep pace with the latest cybersecurity trends and solutions leave themselves more vulnerable and open to attack in the future.