Analyzing over 60 popular cryptocurrency exchanges and 95 less popular ones (according to Alexa’s data, they have less than 10,000 users daily), we have identified a list of items to make cryptocurrency exchange security stronger, and below you find a checklist. Oftenly, the CCSS is not always clear and such difficult industry to develop a full-fledged, scalable, functioning and, above all, secure cryptocurrency exchange. Therefore, we decided to write about the main security items.
1. DDoS protection; As if it was not strange sounding, but still it is one of the most common methods of attacking platforms and cryptocurrency exchanges. Protection can proceed at a low level of the server, a firewall or a layer on the platform. The most secure AWS Shield together with their infrastructure allows us to build not only scalable but also secure and well-performed platforms.
2. Cross-Site Scripting (X-XSS-Protection).
3. Don’t Expose Server Information. Show back-end information about the server, software, and OS, is only causing troubles. You literally give a green light to hackers revealing secret information. If you are wondering why, here is a quick link to Apache vulnerabilities list. Still the most common web server. In each new release, developers fix those bugs and close the holes. Simply checking the version and comparing vulnerabilities list, you dug yourself a hole.
4. NoSQL/SQLi. Classic vulnerability and the easiest in execution.
5. CSRF. Queries falsification is simple enough to neutralize using signed tokens. Additionally, this is another layer of protection against XSS.
6. Clickjacking attack and X-Frame-Options.
7. HSTS (HTTP Strict-Transport-Security) and SSL. SSL is good enough not only because it shows a green lock and gives a bit of confidence to users. By the way, the hypothesis that Google increased visibility in search results is false. Modern methods of database encryption require HTTPS connection through SSL certificate. Self-signed do not work this way, only issued by an authoritative department or company. For e-commerce or payment integration, SSL must be.
8. Vulnerable or malicious libraries. Very similar to the previous paragraph about server information.
9. Content Security Policy (CSP) protection. Writing your own unique, authored content, you never want to be stolen and placed under another’s name. Unfortunately, such problem is difficult to solve, just like Facebook fights against fake news and clean newsfeed. CSP protection is probably the only automatic copywriting option.
10. HTTP Public Key Pinning (HPKP).
11. Cold storage; Probably only a novice cryptocurrency investor did not hear about the cold storage. There are a couple of cold wallet types but the key point is an offline wallet. For example, hardware-wallet like Trezor or Ledger, USB wallet, your own deployed node on an Internet-isolated computer, or even a paper wallet. The most protective is usually considered a hardware-wallet that has several layers of protection including encryption, and multicurrency (Bitcoin, Ethereum, and Litecoin for instance). Together with the multi-signature, it allows you to reduce the risk of stolen assets through lost devices several times, up to 0.01%.
12. Device identification. Itself it does not represent penetration but allows timely prevention of unauthorized actions. Audit and logs of all authorizations (successful and unsuccessful) must necessarily be stored and in hand-access.
13. Error handling. Error handling must be disabled for any live server. This information is required only for developers, not hackers.
2FA. In the user’s interest to turn on two-factor authentication to create an additional protection layer. It is always better to step over laziness and switch it on to protect your assets. Applications like Google Authenticator require only 1 minute setting it up.
As you can see, cryptocurrency exchange security and protection are underlying in dozen layers. Only together, they provide a high level of protection. And remember that on most platforms, the weak point is not the platform or the exchange itself, but its users. Social engineering has not been canceled yet, and cybercriminals successfully use it for many years in all financial related industries.