54% of Cryptocurrency Exchanges Have Security Holes

Exchange security report by ICORating.com

Over the years, digital thieves have stolen millions of dollars’ worth of cryptocurrency from various exchanges. The crypto market attracts a huge number of investors and everyone hopes to get the highest returns and it doesn’t bother anyone that once your crypto is stolen, you won’t get the refund, transactions and assets are not secured in any way, which makes investing in cryptocurrencies really hazardous. The largest crypto exchanges contain vast amounts of digital cash. These facts are really attractive for hackers.

Over the past 8 years about 31 crypto exchanges have been hacked and more than a 1 billion dollars (actually, $ 1.3 bn) stolen. Some of the crypto exchanges learned from their mistakes and managed to recover, the others went bankrupt and several the most “happy” ones, such as Mt.Gox, Bitcoinica, PicoStocks, Bitcurex, have been attacked even multiple times.

When preparing this security rating, we have assessed security measures against the following potential vulnerabilities that could negatively impact exchanges and their users.

The report will discuss the following issues in detail:

  • Console errors
  • User Account Security
  • Registrar and Domain Security
  • Web Protocols Security

We selected exchanges whose daily trade value exceeds one million USD; the total number of exchanges on the list is 100.

Console errors

These errors in the code can result in the malfunctioning of some systems that might lead to problems for their users. This type of vulnerability is usually not critical, however it should be taken into account as in some instances these errors have resulted in data loss.

  • Exchanges that have neither error nor a warning about this type of error: 49%
  • Exchanges with no errors: 68%

Conclusion: 32% of exchanges have code errors, which leads to certain defects in operation.

User Account Security

A separate account has been created on each exchange. The following parameters have been assessed:

  1. The possibility of creating a password with fewer than 8 symbols
  2. The possibility of creating a password with either digits or letters alone
  3. Email verification immediately after account creation
  4. The presence or absence of 2FA

The results of this assessment are as follows:

  • 41% of exchanges allow passwords with fewer than 8 symbols
  • 37% of exchanges allow passwords with either digits or letters alone
  • 5% of exchanges allow the creation of accounts without email verification
  • 3% of exchanges lack 2FA
  • Only 46% of exchanges meet all four parameters

Registrar and Domain Security

We have used the cloudflare platform (https://www.cloudflare.com/domain-security-check) to check these exchanges for vulnerabilities connected with their registrar and domain:

  1. Registry lock; Registry lock is a special flag in the registry (not your registrar) that prevents anyone from making changes to your domain without out-of-band communication with the registry.
  2. Registrar lock; Registrar Lock (not to be confused with Registry Lock) prevents this kind of domain hijacking by requiring more than just an auth code to change information in the global registry.
  3. Role accounts; Security-conscious organizations avoid leaking this kind of private information by using role accounts to register their domain names. Role accounts protect individuals in your organization from being targeted by attackers.
  4. Expiration; We recommend at least a 6-month expiration window for high profile domains. This is enough leeway to deal with unforeseen complications such as an employee owning the domain leaving the company (again, this is a good reason to use Role Accounts).
  5. DNSSEC; DNSSEC eliminates the threat of DNS cache poisoning by authenticating all DNS queries with cryptographic signatures. Instead of blindly caching DNS records, DNS servers will reject unauthenticated responses.

There are three possible outcomes for each item: All items above operate correctly (1), None operate properly (0), warning (0.5). The results of this assessment are as follows:

  • Only 2% of exchanges use registry lock
  • Only 10% of exchanges use DNSSEC
  • There were no exchanges that had problems with all five items

Only 4% of exchanges using best practice in 4 out of 5 of these areas.

Web Protocols Security

We have checked whether the exchanges under scrutiny possess headers that ensure protection against various attacks. We used the following resource: https://www.htbridge.com/websec/. Depending on whether an exchange had the protocol in question, it was rated either 1 or 0. We checked whether the following headers were present:

  1. Strict-Transport-Security header (an HTTP-Strict-Transport-Security (HSTS) header forces browsers to browse the website in HTTPS).
  2. X-XSS-Protection header (X-XSS-Protection defines how browsers should enforce cross-site scripting protection).
  3. Content Security Policy header (Content-Security-Policy (CSP) enables the definition of permitted sources for each type of content, helping to defend against XSS attacks. It also enables the ability to define several browser behaviors, such as sandbox enforcement, to the value to be sent in the HTTP Referer header.)
  4. X-frame-options header (an X-frame-options header specifies whether the website should allow itself to be framed, and from which origin. Blocking framing helps defend against attacks such as clickjacking.)
  5. X-content-type-options header (x-content-type-options can direct browsers to disable the ability to sniff page content type and only use content type defined in the directive itself. This provides protection against XSS or drive-by-download attacks.)

The results of this assessment are as follows:

  • Only 10% of exchanges have all five headers
  • 29% of exchanges have none of the above mentioned headers
  • Only 17 exchanges have a Content Security Policy header

General Exchange Security Rating

The selected exchanges have been analyzed according to the above mentioned categories with the following scoring system:

  • Console errors: Maximum 5 points per category, 2 parameters analysed
  • User Account Security: Maximum 18 points, 4 parameters analysed
  • Registrar and Domain Security: Maximum 34 points, 5 parameters analysed
  • Web Protocols Security: Maximum 43 points, 5 parameters analysed

100 points maximum possible score when totalling the above.

Conclusion

Full report can be found here. Exchanges should increase their security to protect their users from losing their funds.

Posted by wiredgorilla