Cryptocurrency exchanges lack basic password security, study shows
Research shows many exchanges fail to implement adequate password policies or other basic security measures
Many cryptocurrency exchanges are failing to implement adequate password security or other basic cybersecurity methods, leaving them vulnerable to attackers, according to a study of popular exchanges.
The study was conducted by cyber security consultant Dr Vidyasagar Potdar, on behalf of Australian crypto-exchange Ausfinex.
The study evaluated eleven popular current cryptocurrency exchanges, and found issues with password security with all of them, along with shortcomings in the use of HTTP security headers.
Dr Potdar noted that a security breach or a hack on a cryptocurrency exchange often results in huge financial losses for both the exchange and its customers through loss of stolen cryptocurrencies, as well as possible identity theft of customer's credentials; and loss of reputation and trust for the exchange, as well as difficulties in getting insurance for the exchange.
"Losing money and information is the worst thing to happen for an exchange. Hence, securing the exchange from the start is absolutely essential, so much so that it is becoming a functional requirement for any exchange software development project," he writes in the report.
"Securing a cryptocurrency exchange is a massive undertaking and requires significant considerations from the crypto perspective, as well as the infrastructure perspective."
While most of the exchanges required the use of long alphanumeric passwords and used two-factor authentication, the study found that none of the exchanges evaluated restricted the use of reserved words for passwords on their platforms. This means that commonly used phrases and password combinations (for example Password123 or admin123) are accepted as strong passwords. Second, several exchanges did not have a security measure in place that automatically flagged cases where numbers were used in serial order as part of the password, leading to trivial attempts at guessing passwords occasionally ending successfully.
The other component of cryptocurrency exchange security that Dr Potdar analyzed is the employment of HTTP security headers. HTTP security headers provide an additional web security layer that is relatively simple to implement, that can mitigate a myriad of security vulnerabilities, and that should be standard practice for every cryptocurrency exchange. His findings demonstrate that the implementation of HTTP security headings is severely lacking. Out of the eleven total exchanges examined, none of them integrated an HTTP security header designed to prevent cross-site scripting attacks. Further, 54% of the exchanges did not employ the simple HTTP security header that tells the browser to communicate only over HTTPS, rather than the less secure HTTP protocol.
While the study only looked at password policies and HTTP security features, Dr Potdar pointed out that these are just two possible vectors of attack, and that exchanges should also be considering from inception, including network, email and database.
"Overall, it seems that although some form of password strength is considered, it is far from ideal. Password policies should be given a great deal of thought and should cover all possible angles to make it difficult as possible for hackers to compromise user accounts," Dr Potdar wrote. "Implementing HTTP Security Headers are not a big task, but the majority of the exchanges have either overlooked it or not given it much thought.
"I have read several security reports and studies that mention that cryptocurrency exchanges should provide minimum security standards. I, however, strongly suggest that cryptocurrency exchanges should provide maximum security standards," he added.
"Security is critical when dealing with financial transactions because stolen cryptocurrency usually cannot be recovered. Consumers need to have the trust and confidence when selecting an exchange. A cryptocurrency exchange needs to demonstrate and communicate the strong security that has been built into their exchange at the foundation."