A new research by Cryptocurrency Exchange Ratings [CER] assessed the security of the top-100 exchanges [according to CoinMarketCap] and rated them based on their Cyber Security Score [CSS], an assessment system which grades the cybersecurity parameters of exchanges on a 10-point scale.
According to the research, a total of $1.3 billion was stolen from cryptocurrency exchanges in the year 2018. The data was collated by the CER team based on a comprehensive assessment model for security audits, that consisted of three components:
As per the data collected by the researchers of the distribution by CSS, only nine exchanges scored above eight points out of ten. The exchanges that topped the list with flying colors were Kraken, and Coinbase Pro, followed by Binance and BitMex on the third place. However, the popular exchanges like Bithumb [98th on the list], DOBI [93rd on the list], ZBG [96th on the list], Coincheck, and Zaif were rated as the worst CSS performers.
As per the research paper, the three most problematic factors for crypto exchanges were:
Out of the three problems, DNSSEC record and HTTP Headers were the security aspects of the security servers. Furthermore, the Bug Bounty program, a program designed to offer rewards to individuals for finding errors, vulnerabilities or bugs in the security systems of exchanges, had the worst results.
The data reflects that only 13% of the trading platforms have ongoing bug bounty programs, which are substantially reliable. Even out of this, 6% host the program on their own, while 7% use specialized platforms, like HackenProof or Bugcrowd, to serve the purpose.
DNSSEC protocol, or The Domain Name System Security Extensions, uses public key encryption to authenticated DNS servers. This is used to prevent the usage of forged or manipulated DNS data. However, it the second-largest dissatisfied factor by exchanges. The research claims that 60% of the analyzed platforms do not have appropriate records for their domains.
The last matter of concern is the HTTP Security Headers. The research examined security-related fields in the header section of HTTP request and response messages. If installed correctly, it can prevent malicious actions like man-in-the-middle and cross-site scripting attacks.
However, after checking seven headers, it was concluded that 59% of the exchanges had missed six to seven of them, while 17% missed four to five. Only 13% managed to miss just two to three headers, leaving a mere 11% of the exchanges missing just one header.
Earlier this month, Cryptopia, a cryptocurrency exchange based in New Zealand, had announced that they have lost funds due to a security breach. The exchange platform continues to be under maintenance and the amount that was compromised by the hack has still not been disclosed by the team.
Under such circumstances, when exchanges are being hacked rampantly, the research provides a detailed insight into what each exchange lacks and where it can improve.
Article comments