Bithumb hack shows crypto’s need for formal cybersecurity standards
Uniform cryptocurrency cybersecurity standards could make the road smoother going forwards.
Cybersecurity is one of those things. As yesterday's Bithumb hack shows, even the best-known and most reputable centralised exchanges can lose customer funds to ingenious attackers.
Officially raising the bar
The Bithumb attack came just a few days after it updated its security systems, suggesting that the updates may have unintentionally opened up an exploitable new security hole. The problem is that these constant updates are necessary, but each one is a new opportunity for human fallibility to meet criminal ingenuity.
"Centralized exchanges are built for speed and convenience, not security," explains Alan Curtis, CEO of the Radar Relay decentralised exchange. "Their architecture uses active wallets, often called hot wallets, to move assets in and out while each user's balance is maintained internally. To a bad actor or a hacker, this security model looks like a target, with billions of dollars worth of assets available to steal if they find a flaw in the exchange app or underlying security architecture. While there are clear best practices for architecture design, there is no cyber security oversight from global regulators on exchanges."
The response to all the ongoing hacks targeting cryptocurrency exchanges has been piecemeal and mostly driven on a country-by-country basis after the fact.
The CoinCheck hack, for example, is still the largest single hack attack in cryptocurrency history with more than $500 million of customer NEM disappearing. It was later found that CoinCheck was keeping all those customer funds in a hot wallet, against all best practices but not in breach of any mandatory standards, which made the hack possible. The attack sparked an investigation of exchanges in Japan, and several were found to be operating with similar issues.
"These hacks are becoming more frequent as the incentives for hackers remain enticing. Companies need to make a dedicated and continuous effort, through penetration testing and smart contract auditing, for example, to provide the security necessary to protect the assets of their investors and users," said Yo Kwon of the Hosho cybersecurity firm.
As the incident and response shows, the obvious problem is that mandatory standards are usually only coming after the fact, and they're arriving in different places on a piecemeal basis.
"Without [regulatory frameworks] in place, there is no way to ensure that security measures throughout the crypto landscape are held to a uniform standard," said Kowala CEO Eiland Glover. "Once regulators define the rules of the road and security protocols for digital asset exchanges, these exchanges will mature and strengthen in turn."
It also stands to save a lot of time and effort in the coming months and years, as established financial institutions start moving towards cryptocurrency systems. Cybersecurity concerns are one of the main sticking points preventing easy uptake, so uniform security standards could make adoption much smoother.
One of the elementary standards might be to have enough funds, or insurance, to cover customer losses.
These security breaches are "standard today as security is fundamentally difficult to get right," said Dr. Arthur Gervais, co-founder of Liquidity Network. "If Bithumb is able to cover the losses on behalf of their customers, their operations are properly set up to mitigate risks that would potentially affect their customers."
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and XRB.
- Opinion: Libra and Congress are at an impasse. Congress has to move
- What Bitcoin does now could decide whether it hits new 2019 highs
- Coinbase introduces three trading signals
- IMF: Cryptocurrency stablecoins will likely put some banks out of business
- Bitcoin carnage: What caused today’s massive price drop?