As the digital era progress the cryptocurrencies are exploding. Right now there are more than 1,600 different cryptocurrencies in the world that have a combined value of around $350 billion.
The most popular are without any doubts Bitcoin, Ethereum and Ripple: only those three are worth more than $210 billions. The reason why they are gaining more and more respect is that they are clearly considered by people around the world as a good investment.
The first attraction of cryptocurrency is security. But this is a bit of a myth as the security of cryptocurrency is not very relevant if the exchange in which is stored it is not secure. This is very important as you could simply wake up one day and find out that all your cryptocurrency have simply disappeared.
Blockchain technology, who have created cryptocurrency, have very strong security but both cryptocurrency and the exchange that stores your digital money can be hacked in many different ways.
‘Surely cryptocurrency security is at the base of their continue success and existence’, said Ethan Rowe editor in chief of Top Trading Platforms website. ‘If the trust in the technology will not be there anymore cryptocurrencies will crash very fast’.
Compromised Credentials – even if there is a strong security to protect a system there will always need to be a small number of users that will have the authorisation to access it. In regards to cryptocurrencies and cryptocurrency exchanges, customers, cryptocurrency owners and cryptocurrency exchange admins will be the best targets for attackers. It is known that the first cause of crypto exchange hacks it is compromised credentials. Only in 2017 compromised credentials led to a number of crypto exchange hacks. It was in June 2017 that all personal information, including sensitive customers data of more than 30,000 were compromised with hackers that were able to access a Bithumb crypto exchange employee’s personal computer.
Once done that it was very easy for attackers to steal tens of thousands of dollars of cryptocurrency as well in addition to the data. Another incident happened at NiceHash were hackers compromise the credentials of a system engineer and got away with about $75 million.
Social Engineering Attacks
The weakest links in any computer security system are always the human beings. If targeted well social engineering can provide attackers all the information they need to access a cryptocurrency exchange. An attack in 2015 resulted in the theft of $5 million from Bitstamp: that was possible after an administrator of the crypto exchange opened a malicious file.
Cryptocurrency Code Vulnerabilities
As we all know no code is invulnerable. Even if cryptocurrency code is pretty much secure the code underlying a cryptocurrency exchange can be exploited to hack transactions. This is exactly what happened in 2016 when thieves were able to find a loophole in the code of a decentralised autonomous organisation and steal cryptocurrency. Attackers in this case were able to exploit a flaw in how the code processed transactions and took away $50 million worth of Ethereum.
Test Accounts in Production Environment
Test accounts are done in any development environment. Developers use accounts with a number of permissions and access privileges to test a new code and check that everything is working as expected. But test accounts can be a very good way for hackers to gain access as they are not closely managed or monitored. Best practise says that they should only exist in a test or staging environment and should never be used in a production environment. Even if they are used on production environment than they should only have the minimal level of privileges. Also there should be regular audits with any rouge test accounts that should be eliminated.
Lack of Separation of Duties
It is also very important to ensure separation of duties and implement the ‘least privileged access’ for accounts. Crypto exchanges should have a monitored process so that developers will only be able to access production systems if needed, like in an emergency.
Poor Account management and hygene
If a cryptocurrency exchange is not managed effectively the attack is likely as the attack surface will expand. In addiction to restricting test account access and separate duties for different roles it is also important that the crypto exchange will follow basic account management best practices.
One of the pillars of the security of cryptocurrency, Blockchain technology is that transactions are immutable and cannot be changed. One of the largest attack on cryptocurrency exchange happened when attackers found that they could change the transaction ID before the transaction was closed and in doing so divert funds to a different account. In 2014 hackers managed to divert nearly $500 million in fund from Mt. Gox crypto exchange.
Lack of Hot Wallet Protection
Cryptocurrency exchange servers and storage networks keep a live pool of digital currency also called hot wallets. The cryptocurrency that is contained in a hot wallet should be kept encrypted and secure and if not it is subject to theft. The hot wallet should be kept secured with multi-signature private keys and also a single key should not allow access. In January of 2018 hackers managed to steal a huge $530 million from Coincheck: the reason was that multi-signature keys were not used and the hackers were able to get their hands on a single private key that allowed them to unlock the hot wallet.
Secure the Cryptocurrency Exchange
The increased popularity of cryptocurrency and the huge amount of money they are now represent has made those a clear target for cybercriminals. One of the main reason of success has been Blackchain technology which is secure. But we all have to remember that there is always a weak link somewhere. The examples we have made show well that even if the cryptocurrency is secure the cryptocurrency exchanges that do process transactions and store digital currency can be vulnerable to potential hacks and to theft.