Over Half of All Crypto Exchanges Have Security Vulnerabilities

A recent report from ICO Rating has found that only 46% of cryptocurrency exchanges meet the desired security parameters with the remaining 54% considered to have sub-par security measures in place, leaving hundreds of thousands of traders and investors exposed. The sample group of exchanges contains 100 exchanges all of which have a 24-hour volume of over $1 million.

A total of $1.3 billion has been stolen from hacked cryptocurrency exchanges since 2010, and yet it still seems that exchange operators are failing to take security seriously. The security report published last week by ICO Rating considers the following four factors when establishing a security rating:

Console errors
User Account Security
Registrar and Domain Security
Web Protocols Security
Here’s what each of those relates to.

Console Errors
Console errors have caused data loss before, although this is usually not the result of a malicious attack but coding problems. The report found that 32% of exchanges have code errors that lead to operational malfunction.

User Account Security
To measure this, the analysts created a separate account on each exchange and examined password security as well as email verification and 2FA measures. They found that 41% of exchanges allow for the creation of a password less than 8 characters long and therefore considered unsafe to use. 37% of exchanges allow users to create their passwords out of letters or numerical digits only without combining the two, which is also considered to be a security flaw.

More seriously, 5% of exchanges allow users to create accounts without email verification and 3% of exchanges lack 2FA (two-factor authentication which requires users to confirm with a separate device their sign-in, considered to be a fundamental aspect of fund protection).

Registrar and Domain Security
The analysts used Cloudflare to identify security flaws regarding their domain and registrar.

A number of factors were considered here, such as registry lock which prevents anyone using out-of-band communication with the registry from making domain changes as well as registrar lock which prevents domain hijacking through heightened security measures such as requiring more than an authorization code for domain access – role accounts are often used to protect sensitive domain information from leaking.

The analysts recommend a 6-month expiration period for domains to allow for complications regarding ownership, etc, and that was tested for along with the presence of DNSSEC which authenticates all DNS queries with cryptographic signatures to prevent cache poisoning.

Analysts found that only 4% of exchanges were using best practices in all of these areas – only 2% of exchanges use registry lock and 10% use DNSSEC, although no exchange completely neglected all 5 parameters.

Web Protocols Security
Web protocols were examined for their security level using WebSec by HT Bridge. Analysts tested for HTTPS headers in URLs, X-SXX- protection headers, content security policy headers, x-frame-options headers, and x-content-type headers.

Only 10% of exchanges used all 5 security measures, with 29% using none of the above and only 17% having a content security policy header.