Study: Cryptocurrency exchanges are making basic security mistakes
It's not about meeting minimum standards, so much as being as secure as reasonably possible.
An analysis of some of the world's top cryptocurrency exchanges, by cybersecurity researcher at the upcoming Ausfinex security-centric crypto exchange, Dr Vidy Potdar, has found that many of them are still making some relatively basic security mistakes.
The most basic errors still being made were lax password policies and underuse of HTTP security headers. Both can be implemented relatively seamlessly, Potdar says, so there might be little reason not to make sure all steps are being taken.
How do you test password policies? You make passwords.
All exchanges tested included the must-have measures such as 2FA and passwords of eight or more characters.
Overall, Potdar says, all exchanges enforced some kind of strong password policy, but there was still some clear room for improvement with none of them enforcing reserved words.
These reserved words are terms which should be disallowed in passwords, on account of being so commonly used that they're easily brute-forced. The most common is "password," but terms like "admin" or "root" might also be commonly used, and attempted by someone trying to break in.
"It should also flag cases when numbers are used in a serial order e.g. "123456" or "123". Some exchanges did not enforce using a special character in the password so we were able to register with a password like 'Admin123'," Potday says. "Overall, it seems that although some form of password strength is considered, it is far from ideal. Password policies should be given a great deal of thought and should cover all possible angles to make it as difficult as possible for hackers to compromise user accounts."
Of course, there's nothing like the special pain of an online service demanding an exorbitantly high security and impossible-to-remember password to protect something you don't really care about and there is a certain balance to strike between ease of use, accessibility and security. But cryptocurrency exchanges should probably be leaning strongly towards the security.
"HTTP security headers instruct browsers in how to behave when interacting with your website's content and data. For example,
strict-transport-security tells the browser to only communicate over HTTPS," Potdar explains. "Similarly, when implemented,
content-security-policy prevents cross-site scripting attacks. The
x-frame-options header protects against clickjacking and prohibits loading of iframes on the site."
"Security headers are relatively simple to implement, as they only require a few server side configuration changes while strengthening your overall security framework, mitigating attacks and security vulnerabilities... we reviewed the eleven platforms to assess their HTTP Header Security implementation and found interesting results."
Overall, Binance and CoinSpot GDAX (now known as Coinbase Pro) and Bitfinex were the most rigorous, as befits three of the world's largest and most-trafficked exchanges. Across the board, there seems to be a clear correlation between how large and well-known an exchange is and the HTTP headers it employs.
But once again, there might still be room for improvement.
"None of the exchanges have implemented
content-security-policy. Only one exchange has implemented HTTP
public-key-pins," Potdar notes. "54% of exchanges did not implement
Redirection was implemented by 9 exchanges, whereas
Subresource Integrity was again missed by all the exchanges.
X-frame-options was only implemented by 7 (63%) exchanges and
X-XSS-Protection was implemented by just 5 (45%) exchanges."
"Overall, it seems that implementing HTTP Security Headers are not a big task, but the majority of the exchanges have either overlooked it or not given it much thought."
More is more
There's a lot of talk about minimum required security standards for exchanges, but it might be the wrong way of looking at it, Potdar says. Hacks happen all the time, and in some cases including the record-holding half billion dollar CoinCheck hack, it's later discovered that the attackers walked right in through obvious security holes that should never have been opened.
It might be even more important if you subscribe to the theory that there's no such thing as 100% bulletproof security. Thieves of all kinds tend to favour and look for the weaker targets, so simply by being more secure than their neighbour, an exchange can overall be much less likely to be targeted and robbed.
Exchanges shouldn't be looking at how they can meet minimum security standards, Potdar says. Instead, they should be focused on being as secure as possible.
"I have read several security reports and studies that mention that cryptocurrency exchanges should provide minimum security standards," he says. "I, however, strongly suggest that cryptocurrency exchanges should provide maximum security standards. I think it is important not to underestimate the task of running a cryptocurrency exchange or the importance of providing the maximum amount of security from the ground up."
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA