54% of Cryptocurrency Exchanges Have Security Holes

Over the years, digital thieves have stolen millions of dollars’ worth of cryptocurrency from various exchanges. The crypto market attracts a huge number of investors and everyone hopes to get the highest returns and it doesn’t bother anyone that once your crypto is stolen, you won’t get the refund, transactions and assets are not secured in any way, which makes investing in cryptocurrencies really hazardous. The largest crypto exchanges contain vast amounts of digital cash. These facts are really attractive for hackers.

Over the past 8 years about 31 crypto exchanges have been hacked and more than a 1 billion dollars (actually, $ 1.3 bn) stolen. Some of the crypto exchanges learned from their mistakes and managed to recover, the others went bankrupt and several the most “happy” ones, such as Mt.Gox, Bitcoinica, PicoStocks, Bitcurex, have been attacked even multiple times.

When preparing this security rating, we have assessed security measures against the following potential vulnerabilities that could negatively impact exchanges and their users.

The report will discuss the following issues in detail:

• Console errors
• User Account Security
• Registrar and Domain Security
• Web Protocols Security

We selected exchanges whose daily trade value exceeds one million USD; the total number of exchanges on the list is 100.

Console errors

These errors in the code can result in the malfunctioning of some systems that might lead to problems for their users. This type of vulnerability is usually not critical, however it should be taken into account as in some instances these errors have resulted in data loss.

• Exchanges that have neither error nor a warning about this type of error: 49%
• Exchanges with no errors: 68%

Conclusion: 32% of exchanges have code errors, which leads to certain defects in operation.

User Account Security

A separate account has been created on each exchange. The following parameters have been assessed:

1. The possibility of creating a password with fewer than 8 symbols
2. The possibility of creating a password with either digits or letters alone
3. Email verification immediately after account creation
4. The presence or absence of 2FA

The results of this assessment are as follows:

• 41% of exchanges allow passwords with fewer than 8 symbols
• 37% of exchanges allow passwords with either digits or letters alone
• 5% of exchanges allow the creation of accounts without email verification
• 3% of exchanges lack 2FA
• Only 46% of exchanges meet all four parameters

Registrar and Domain Security

We have used the cloudflare platform (https://www.cloudflare.com/domain-security-check) to check these exchanges for vulnerabilities connected with their registrar and domain:

1. Registry lock; Registry lock is a special flag in the registry (not your registrar) that prevents anyone from making changes to your domain without out-of-band communication with the registry.
2. Registrar lock; Registrar Lock (not to be confused with Registry Lock) prevents this kind of domain hijacking by requiring more than just an auth code to change information in the global registry.
3. Role accounts; Security-conscious organizations avoid leaking this kind of private information by using role accounts to register their domain names. Role accounts protect individuals in your organization from being targeted by attackers.
4. Expiration; We recommend at least a 6-month expiration window for high profile domains. This is enough leeway to deal with unforeseen complications such as an employee owning the domain leaving the company (again, this is a good reason to use Role Accounts).
5. DNSSEC; DNSSEC eliminates the threat of DNS cache poisoning by authenticating all DNS queries with cryptographic signatures. Instead of blindly caching DNS records, DNS servers will reject unauthenticated responses.

There are three possible outcomes for each item: All items above operate correctly (1), None operate properly (0), warning (0.5). The results of this assessment are as follows:

• Only 2% of exchanges use registry lock
• Only 10% of exchanges use DNSSEC
• There were no exchanges that had problems with all five items

Only 4% of exchanges using best practice in 4 out of 5 of these areas.

Web Protocols Security

We have checked whether the exchanges under scrutiny possess headers that ensure protection against various attacks. We used the following re