The cryptocurrency industry actively started to evolve in 2017 after the boom of ICO projects. It is still at an early age, so gigantic innovations happen on many levels: more advanced blockchains, new business models, simplification of user interfaces. These changes cause many uncertainties and security gaps that can’t be fixed on time, thus providing an immense opportunity for criminals: at least $1 billion evaporated from exchanges’ balances to crooks’ wallets in 2019.
The disproportion of cold and hot wallets
Past incidents affected exchanges of all sizes — from tiny to biggest ones like Binance. What united most intrusions was that exchanges stored a significant portion of clients’ assets in hot wallets. It significantly violates best practices for digital assets storage: usually, 98% of assets or more should remain in cold wallets. It always leads to the insolvency of the exchange.
This cold/hot wallet proportion guarantees that even in case of a successful attack, it won’t be catastrophic for an exchange, and the company’s insurance fund (like Binance’s SAFU) will cover losses.
Cybersec is about to make an attack an immensely expensive process
Withdrawing a hot wallet is the final step of an attack. Any exchange’s job is to put a robust defense system in front of its wallets that would make an attack a very time-consuming process.
The longer it takes to gain control over wallets, the more likely the cybersecurity team will spot an attack. I have several cases of working with crypto exchanges in my experience. Based on this, I have identified five main security measures that crypto exchanges tend to neglect. Such security measures consist of five points:
- System of checks and balances — it splits the responsibility across multiple parties. So, tampering of any single party doesn’t ruin the defense. It usually incorporates a restriction to access production servers only through a “bastion” computer used solely for this purpose.
- Hardened servers and workstations, which make certain types of attacks on systems impossible. For example, an accountant doesn’t require access to Python (programming language) on their laptop.
- Vulnerability management system to detect revealed vulnerabilities in apps on corporate hardware. Most attacks start from finding and exploiting unpatched software.
- A process to keep all apps up-to-date. After spotting vulnerable software, it’s critical to update it within the first two weeks. It often requires a manual patch process from all employees in the company, which is extremely hard. Regular reminders with awareness training or usage of security gamification software.
- Detection and response of ongoing attacks. No system is secure, so a first-class attacker will intrude into a corporate network one day. The good thing is that they leave many traces during the attack. So, cyber teams scan these traces in real time and stop attacks before they succeed.
All successful attacks on exchanges exploited one of these points:
- OKEx, which lost $5.6 million in August this year during a “51% attack,” lacked the 1st and 5th point in their defense system.
- Binance, with the $40 million losses in 2019, missed vital bits in all five points in their defense.
Cybersec is a very expensive part of the cost structure
On the other side, Coinbase demonstrated strong security measures in the right places. The attack on them involved a zero-day vulnerability, a sporadic event, indicating that criminals didn’t find easier ways into the company. But even with such a powerful “weapon” in the hands of the crooks, Coinbase’s cybersec team detected traces of malicious activity on workstations and stopped the attack.
Such a first-class defense system for a centralized crypto exchange requires costly investments and incurs much time to kickoff: three to six months to hire top engineers, six to 12 months to build the first version of the defense system, and $4 million+/year to keep it all running. The budget is usually split equally on salaries and software licenses.
When an exchange doesn’t make this level of investment, it ends up badly for its clients. Most businesses can’t afford such expenses, and it’s a matter of time when they lose clients’ money.
NOTE: The views expressed here are those of the author’s and do not necessarily represent or reflect the views of BeInCrypto.
Written by Tim Ismilyaev, CEO and founder of Mana Security. Tim is a cybersecurity expert, specializing in protecting infrastructure. He has built his own cybersecurity system that helps companies manage vulnerabilities. Launched an algorithmic crypto hedge fund and created a security system from scratch, that handled all attempted attacks during a token sale and passed several security checks.