Redefining security for crypto exchanges

Blockchain adoption has seen a surge in recent years with startups and incumbents investing heavily in the technology. This surge has been a manifestation of organisations across industry verticals creating new products and services and augmenting their existing offerings upon the foundation of blockchain technology. In fact, worldwide spending on blockchain is expected to hit USD 11.7 billion by 2022, according to a recent IDC report.

The promise and potential of blockchain technology is based on its ability to prevent fraud, reduce operational costs and eliminate intermediaries, improving transparency and trust for businesses and consumers alike.

Cryptocurrency is one of the most promising and widely used applications of blockchain technology, giving users direct access to an array of digital assets which can be transformed into a powerful investment product that can be saved, retrieved and exchanged with no control or censorship from central bodies such as banks. Cross-border payments and money transfers benefit a lot from this paradigm as there is no third-party interference or hidden costs.

Source: https://coinmarketcap.com/charts/

Despite its robust design that prevents fraud and third-party interventions, cryptocurrency exchanges have struggled to keep their users’ data and funds safe, leading to frequent crypto hacks. In 2019 alone so far, hackers have stolen over USD 4 billion in crypto scams and thefts.

So, what’s the deal?

Source: https://www.hackmageddon.com/category/security/cyber-attacks-statistics/

The modus operandi of hackers bypassing the security layers

When users trade on a crypto exchange, they mostly interact with the exchange platform and the fund wallet, facilitated through a device such as a mobile phone or computer. Moreover, crypto exchanges also sometimes work with third-party service providers such as campaign tracking and platform performance measurement tools or APIs, which if compromised, can allow hackers to seep into the user accounts and steal money and information. If these sources get compromised, hackers will find a way to get to user accounts, and if the platform doesn’t know how to safeguard accounts properly, possibly their funds. Since the storage, transaction, retrieval and tracking of the funds rely on some form of detached online technology, accounts get hacked beyond the transaction process.

Hackers are also continuously looking for new ways to manipulate devices or media that are used to interact with exchanges while carrying out trading activities. Some of the typical approaches include embedding malicious scripts in the website code, using backdoor hacking approaches that include cross-site scripting (XSS), impersonating exchanges on social media platforms, and social engineering attacks such as phishing to steal funds from an exchange.

Theft opportunities also emerge from compromised phones, which become a pathway for hackers whenever we use a mobile app. While the mobile app itself may not show signs of theft, it could be running a background program that creates a backdoor entry for malicious parties.

What does security augmentation for crypto exchanges entail?

Crypto exchanges need to adopt proactive and comprehensive security mechanisms to take on hackers. From having a set of well-defined user security systems and developing custom wallets that ensure fund safety, to strengthening transaction requirements/paperwork, there is an imminent need for an end-to-end safety mechanism.

Although exchange platforms across the globe have started focusing on certain areas, a holistic approach requires 5 key modules to develop the gold standard.

1. Ensuring user account security
International exchanges with a wide user base and large trading volume are more likely to be on the hackers’ target list. Therefore, bolstering technical capabilities and backend infrastructure to ensure strong algorithms and codes is the bare minimum. Enforcing strong passwords, performing a holistic KYC, and enabling two-factor authentication (2FA) enhance the operating procedure and provide an additional layer of security.

2. Device protection
While secure onboarding and continual operational security of users are critical, it is also important to manage device controls - Keystroke encryption, anti-click jacking capability, anti-screen capture and strong password protection protocols that need to be dynamically modified are near-mandatory features to protect device related slacks.

3. In-house cyber experts
Hackers have always managed to leverage bleeding edge technologies and algorithms to crack the security protocols. Even though injecting noise in hacking patterns is what hackers aim for, tracking the system data & activities regularly can help in proactive detection of threats. A dedicated, in-house cyber security team supported by strong monitoring and analytics capabilities is vital to keep such potential suspicious activities at bay. Such a team can control and respond to cyber threats in advance, preventing any loss to the user data or information that could lead to a major hack.

4. Third party cybersecurity checks
Confirmation bias, where a user or team, interprets, favours, or recalls information in a way that affirms their prior beliefs or hypotheses is very common in technology development/ testing landscape. Such biases are most commonly observed where a team that’s working on a feature is also the one to test it. Getting an external pair of eyes on a periodic basis in the form of third-party security audits or technological counselling are some great ways to avoid missing any loopholes in the security development or testing processes. They not only help in verifying the underlying technology, but also in preventing potential accidents related to the exploitation of cryptocurrencies.

5. Improving transparency for all parties
Having an unbiased and well-defined selection criterion for the listing processes ensure investor protection and user transparency. Providing security education to users along their journey and taking regular feedback through surveys allow crypto exchanges to stay in touch with customer pain points. Such touchpoints empower crypto exchanges to stay one step ahead of the hackers in finding out sophisticated loopholes that can be often missed out, especially while launching new features on the platform.

Embracing the future

Blockchain technology is a movement to bring in innovation through technological, political and economic changes and transform the way the traditional financial landscape functions. While, over 1.7 billion unbanked adults are still struggling to be included in today’s opaque and fragmented financial ecosystem, cryptocurrency is making it possible to eliminate hidden costs, and other location and income-based constraints to fight financial inequality.

We are all set to see more and more people embracing the cryptocurrency revolution with time, but we also need to rethink what security means for us – as businesses and users. Improvements in crypto security will lead to greater adoption, scalability, reliability and trust amongst users, making way for further innovation and disruptive opportunities in the financial domain.

About Marie Tatibouet

Marie Tatibouet is the CMO at Gate.io. Prior to joining Gate Technology, she was the CEO of a successful Digital Marketing Agency in Hong Kong, working with clients in the [blockchain] technology sector. She is on a mission to spread the word about Gate.io and the values it espouses - security, transparency, and integrity. She also sees it as her personal mission to help educate people around the world about blockchain technology and how they might use it to change the world.

 About Gate.io

Gate.io is a global blockchain assets exchange platform, operated by Gate Technology. Established in 2013 and developed fully in-house, Gate.io enables blockchain enthusiasts to trade and store assets in over 200 of the leading cryptocurrencies. Recognising the importance of blockchain security, Gate.io sets itself apart by prioritising security and experience, providing users with quick and easy access to assets, at a time and place to suit them.