LIVE NOW

Study: Cryptocurrency exchanges are making basic security mistakes

Posted: 31 August 2018 4:44 pm News

It's not about meeting minimum standards, so much as being as secure as reasonably possible.

An analysis of some of the world's top cryptocurrency exchanges, by cybersecurity researcher at the upcoming Ausfinex security-centric crypto exchange, Dr Vidy Potdar, has found that many of them are still making some relatively basic security mistakes.

The most basic errors still being made were lax password policies and underuse of HTTP security headers. Both can be implemented relatively seamlessly, Potdar says, so there might be little reason not to make sure all steps are being taken.



Password policies

How do you test password policies? You make passwords.

All exchanges tested included the must-have measures such as 2FA and passwords of eight or more characters.

Is "anything" a good password? Source: Ausfinex

Overall, Potdar says, all exchanges enforced some kind of strong password policy, but there was still some clear room for improvement with none of them enforcing reserved words.

These reserved words are terms which should be disallowed in passwords, on account of being so commonly used that they're easily brute-forced. The most common is "password," but terms like "admin" or "root" might also be commonly used, and attempted by someone trying to break in.

"It should also flag cases when numbers are used in a serial order e.g. "123456" or "123". Some exchanges did not enforce using a special character in the password so we were able to register with a password like 'Admin123'," Potday says. "Overall, it seems that although some form of password strength is considered, it is far from ideal. Password policies should be given a great deal of thought and should cover all possible angles to make it as difficult as possible for hackers to compromise user accounts."

Of course, there's nothing like the special pain of an online service demanding an exorbitantly high security and impossible-to-remember password to protect something you don't really care about and there is a certain balance to strike between ease of use, accessibility and security. But cryptocurrency exchanges should probably be leaning strongly towards the security.

HTTP headers

"HTTP security headers instruct browsers in how to behave when interacting with your website's content and data. For example, strict-transport-security tells the browser to only communicate over HTTPS," Potdar explains. "Similarly, when implemented, content-security-policy prevents cross-site scripting attacks. The x-frame-options header protects against clickjacking and prohibits loading of iframes on the site."

"Security headers are relatively simple to implement, as they only require a few server side configuration changes while strengthening your overall security framework, mitigating attacks and security vulnerabilities... we reviewed the eleven platforms to assess their HTTP Header Security implementation and found interesting results."

Interesting results (pictured). Source: Ausfinex

Overall, Binance and CoinSpot GDAX (now known as Coinbase Pro) and Bitfinex were the most rigorous, as befits three of the world's largest and most-trafficked exchanges. Across the board, there seems to be a clear correlation between how large and well-known an exchange is and the HTTP headers it employs.

But once again, there might still be room for improvement.

"None of the exchanges have implemented content-security-policy. Only one exchange has implemented HTTP public-key-pins," Potdar notes. "54% of exchanges did not implement strict-transport-security. Redirection was implemented by 9 exchanges, whereas Subresource Integrity was again missed by all the exchanges. X-frame-options was only implemented by 7 (63%) exchanges and X-XSS-Protection was implemented by just 5 (45%) exchanges."

"Overall, it seems that implementing HTTP Security Headers are not a big task, but the majority of the exchanges have either overlooked it or not given it much thought."

More is more

There's a lot of talk about minimum required security standards for exchanges, but it might be the wrong way of looking at it, Potdar says. Hacks happen all the time, and in some cases including the record-holding half billion dollar CoinCheck hack, it's later discovered that the attackers walked right in through obvious security holes that should never have been opened.

It might be even more important if you subscribe to the theory that there's no such thing as 100% bulletproof security. Thieves of all kinds tend to favour and look for the weaker targets, so simply by being more secure than their neighbour, an exchange can overall be much less likely to be targeted and robbed.

juicy crypto words

Exchanges shouldn't be looking at how they can meet minimum security standards, Potdar says. Instead, they should be focused on being as secure as possible.

"I have read several security reports and studies that mention that cryptocurrency exchanges should provide minimum security standards," he says. "I, however, strongly suggest that cryptocurrency exchanges should provide maximum security standards. I think it is important not to underestimate the task of running a cryptocurrency exchange or the importance of providing the maximum amount of security from the ground up."


Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Ask a question
Go to site