Currently, there are more than 200 crypto exchanges available on the Internet. The problem, though, is that more than the majority of them are insecure – only 4% meet the “good” security status, which is a combination of many factors: password requirements, email verification, domain certification. Crypto exchange hacks repeat themselves with regularity (more than $1.1 billion was lost in these hacks) and it seems that this industry can’t go on forever in this manner, it’s not sustainable. Users are tired of losing money, and it seems that the exchanges with weak security measures will be washed out of the market soon. Let’s see what the security experts and notorious developers have to say about it.
Thanks to agency.howtotoken.com for support in creating this topic (First platform with proven ICO contractors)
Stop losing our money
John Sedunov is an expert in banking, cryptocurrencies, and financial institutions. She is also a professor at Villanova University.
It’s hard to underestimate the role of confidence in these markets where users have to trust their funds to some entity with an unknown legal status. Users have no control over their funds when they deposit cryptocurrencies on an exchange, as opposed to just storing them in cold wallets which is a very complicated process, as it requires managing private keys and at least some technical expertise. A wire transfer from a local bank or buying and storing crypto on the exchange is easier. At the same time, doing this requires confidence that the exchange does everything in their power to protect their funds.
“The hacks are bad for users, bad for exchanges and terrible for confidence. If I don’t have confidence in where I’m storing my crypto assets or where I’m investing, how can I really trust any of this?”
Exchanges have come a very long way from the unregulated markets where computer geeks would sell magic Internet money. They are now established companies, attracting the attention of large financial institutions and governments. However, not all of the exchanges survived in the process, like Mt.Gox, and not all of them will survive in the future. So, what does it take to survive?
Markets will decide who is worthy
Dr.Statica is a cyber-defense, crypto, blockchain, AI, and technology expert with over 25 years experience in both the private and public sector.
There are many crypto exchanges right now, but some of them are definitely starting to get the edge over their competitors. What qualities do they have that make them stand out? Binance, Bittrex, Exmo, Kraken – all of these exchanges have a large trading volume, a long history, and more importantly, none of them have ever been hacked.
“People don’t like to use unsecured systems and definitely don’t like to lose their money. I think that people are smart enough now to recognize the power of secure systems and will pull their assets from those exchanges and either try to use others more secure or they will diversify their portfolio between 2-5 exchanges. Some exchanges will lose revenue while others will increase their revenue. Overall money won’t disappear in thin air but rather it will get redistributed.
Exchanges have to take immediate & drastic cybersecurity measures but also look at how the coins & wallets are protected in transit and at rest.”
The market will define what players are the best in terms of security, and the users will vote with their funds – they will simply stop trading at insecure exchanges. Why do you have to keep your hard-earned money on 2-5 insecure exchanges and hope that losses won’t be bigger than gains if you can simply choose one secure exchange?
What should be done by exchanges to increase security?
Thomas Voegtlin is a founder and developer of the popular Bitcoin wallet Electrum.
Actually, there are a lot of things that can be done by the exchanges to increase security, and it doesn’t require very sophisticated methods. Thomas Voegtlin formulated a list of security recommendations for exchanges.
- “Don’t store more bitcoins outside of cold storage than you can afford to lose and remain solvent. This ensures that your business will be able to financially survive a hack.”
- “Deposits should be sent to cold storage addresses directly.”
- “Transfer from cold storage to hot storage should be manual only.”
- “An attacker should not be able to disguise a theft as a series of withdrawals from customers.”
- “If a withdrawal request exceeds the amount available on the hot wallet, the customer should have to wait. Receiving coins 24 hours later is better than not receiving one’s coins at all.”
- “Clone your database to a place where an attacker cannot irreversibly modify or delete it from the server.”
- “Send digitally signed account statements to customers regularly, using a key that is not on the public server.”
Most of these recommendations can be done without any programming at all. It’s called risk management. Hacking a blockchain address is nearly impossible, as it’s protected by the magic of extremely big numbers. Keeping funds in a cold storage is an ultimate security measure. For some reason, all those exchanges that got hacked didn’t follow this advice.
A rational proposition
Emin Gün Sirer is a computer scientist, an associate professor of computer science at Cornell University, and the co-director of IC3. He is known for his contributions to peer-to-peer systems, operating systems, and computer networking.
Another good solution came from professor Emin Gün Sirer. All transactions in the blockchain are irreversible. If an exchange, a user account, or a smart contract gets hacked, it’s impossible to retrieve the stolen funds. But if we could have two types of accounts, one as a cold storage with a recovery key and another hot wallet without any recovery, it would be a different story.
“Suppose I designate some of my funds as being in a specially-marked cold storage account, or, let’s call them vaults. To pay for things, I need to move them out of my vault to a regular wallet, a process which takes, say, a day. Merchants never accept payments directly from vaults; they use regular Bitcoin addresses, and payments work in the regular, irreversible fashion. But the special thing about vaults is that they come with two keys. One key is used to unlock the vault and move your funds to a regular wallet. The other one, called a recovery key, is used when you notice that your funds were hacked and moved out of the vault by a hacker. You can then use your recovery key to undo the hack — you have 24 hours to notice and launch the recovery and get back all the funds.”
Could this be used for cheating merchants? No, because merchants would be able to accept payments only from the hot wallet. Let’s say that the transfer of funds from a vault takes 24 hours and we get an effective solution against any hacking attempts. Anyway, if the exchanges follow these simple rules listed above then they won’t even need any recovery. Which brings us to the next point…
Does anyone care about security these days?
Edward Bark is EXMO’s Co-founder
Okay, it seems that there’s a lot of room for improvements in the space. But are there any exchanges that try to give their customers maximum security? Yes, and there are many of them.
One of the exchanges worth mentioning here is EXMO. This platform is a security-oriented exchange that dedicates a lot of its effort to building a reliable infrastructure for trading and storing funds.
“We have implemented the maximum infrastructure protection on our site, two-factor authentication, SMS authentication and trusted IP. We also have multi-level protection against hacking and DDoS Attacks.
There is also a warning system in the case that someone is trying to take possession of data cookies. We keep our customers money in cold wallets, and our programmers are constantly improving the defense mechanisms. In parallel, we are negotiating to provide insurance for the bitcoins of our customers. All this allows us to confidently talk about the maximum security of our platform.”
What does it mean? It means that EXMO allows for the use of 2FA for logging in and withdrawing funds. The user can create a whitelist of addresses where the funds can be withdrawn to. All crypto assets aren’t stored in the wallets connected to the exchange – they are stored in cold wallets, so hackers can’t steal them even if they breaks the security barriers.
When you have that many security measures it’s easy to trade, because you know that you won’t lose anything through someone else’s fault. There are only 19 stock exchanges in the whole world with a capitalization over $1 trillion each, and a similar thing will happen with crypto exchanges – only the best will stay.