A Safer Direction: On Crypto Exchanges and the Need to Take Security Measures Seriously
“Crypto Exchange operators need to work with the mindset that all user login data is already compromised. This is why secondary authentication is important,” said Eric Gu, one of the three panelists at a discussion that took place at the D10e Tokyo conference. The panel moderated by Kenny Au, co-founder of Luxchain and Blockchain columnist discussed the efforts that cryptocurrency exchanges need to take in order to become more secure and efficient.
Gu, the founder of Metaverse and RightBTC, was part of a panel of blockchain experts and veterans. In addition to Gu, the panel included Ivan Chen, Head of Strategy at CoinSuper, and Robin Guo, a well-experienced blockchain expert who’s been in the industry since 2013. Guo co-founded the first Chinese cryptocurrency, YBcoin, and was previously the CEO of multiple mainstream cryptocurrency asset exchanges (BCEX & Allcoin) for three years. Now, he is the CEO of Tai Lab, aiming to provide the best incubation and advisory services for anyone who is interested in utilizing blockchain technology.
An estimated $1.3 billion (and counting) has been stolen through hacks that have taken place on several major cryptocurrency exchanges across the world. One of the major hacks took place on the Coincheck platform, one of the largest cryptocurrency exchanges in Japan, where up to $534 million worth of coins were stolen. Hacks are not exclusive to a small number of exchanges. Gu explained that according to his observations and research, almost every exchange has experienced a hack at some point in time but only a few of them have chosen to disclose what happened. Gu’s findings helped him draw up various security measures that his exchange follows; measures he believes all other cryptocurrency exchanges should implement as well.
Chen agreed with Gu’s sentiments regarding exchange security and mentioned how the team at Coinsuper reached out to an external party to assist with ensuring that the security of the newly-established exchange platform is at the best level it can possibly be. Security architecture, internal control, penetration testing, and instant response were some of the security measures that Chen posed as the most important security factors that cryptocurrency exchanges should have.
Simply explained, security architecture refers to the overall structure of an exchange’s security system. Internal control has to do with how internal processes within the exchange are monitored and managed. Penetration testing and instant response are related to testing a platform for any present vulnerabilities and the time it takes for authorities to be alerted of any breaches.
Guo warned that exchange operators need to be fully aware of the technology that they use on their platforms. He mentioned how some exchanges tend to incorporate protocols that have bugs which could lead to hacks and other security problems. Another important factor to be considered, according to Guo, is the kind of people who are on the team. From technicians to the crypto asset keepers, exchange platforms need to ensure that the people on their teams are people with integrity and honesty.
Multi-factor authentication was another security measure that was endorsed by everyone on the panel. When people think of authentication, they think of Google Authenticator which is one of the most popular forms of authentication. When users are required to withdraw assets from an exchange, they need to authenticate their identity. But solely relying on one authentication method will lead to a series of complications.
According to Gu, Binance, an international multi-language cryptocurrency exchange, solely relied on Google Authenticator and forgot to request any secondary authentication from users. This flaw was eventually taken advantage of, leading to a security breach. As mentioned earlier, Gu believes that no exchange should rely on one form of authentication. Several forms of authentication – if possible – are necessary. Exchanges hold millions of dollars’ worth of coins on their platforms. According to Gu, if every exchange operator treated all user login info as “compromised” they would enforce secondary authentication from all their users. This secondary authentication can come in the form of a security question only the user would know the answer to or even personally contacting the user to confirm their withdrawal – a practice that Guo incorporated into the security system of the exchanges he worked with.
During the Coincheck incident that occurred earlier this year, one of the major problems that led to so much money being lost is the fact that the exchange kept a large number of coins in their hot wallet. A hot wallet is an online wallet that stores funds and they are notoriously vulnerable. Anything stored online may be subjected to attacks from malicious hackers and other entities. While members of the panel mentioned how they are trying to automate their wallets and implement daily limits, they are ensuring that only enough coins are left in the hot wallet for daily transactions to take place on their exchange platforms, while the rest is kept in a secure, offline wallet (known as a cold wallet). Gu mentioned that some exchanges are moving in the direction of having a custodian bank, solely for safely storing coins on the platform, while the exchange platform is solely used for exchanging.
The panel also highlighted that the users have a major part to play in ensuring that crypto exchanges remain safe – but it is the exchanges’ responsibility to ensure that users are aware of this. Gu and Chen agreed that users need to be trained in safe security practices while trading, but admitted that exchanges are left with a minor dilemma. Ideally, exchanges would like to keep their users’ coins on their platform but do not want to risk losing their users’ money. Encouraging users to store all their funds in their own cold wallets will mean that exchanges will not have access to these coins, ultimately affecting how transactions take place. Guo added that it would be better for exchanges to ensure that exchange platforms are designed so well, users will not have problems using their features, thus preventing any mistakes from taking place. It would be better for users to be trained on how to recognize fraud, be a good trader, and also only put money at risk if and when they can afford to lose it.
Gu also addressed an issue that is not spoken about often – the inconvenience that many users experience when wanting to use multiple exchange platforms. Users are forced to answer the same verification questions every time they sign up on a different platform and this can become repetitive and inconvenient. There is a need to use different exchange platforms because of the different coins that are available for trading. One platform may have a certain coin on their platform that another platform will not. If users cannot switch platforms in a safe and convenient manner, their transactions will be negatively affected. Enter, a decentralized identity system. According to Gu, if users could have their verified identity information stored on the blockchain, in the form of a Digital ID, and exchanges are able to construct a system that will allow users to present their Digital ID when signing up for a new platform, exchanges could experience a far more synthesized and convenient way of operating with their users. Gu refers to this as zero-knowledge proof technology, a form of technology that will allow users to operate on multiple exchanges without going through the same KYC and AML measures each and every time. Metaverse is currently working on making this a reality, thus making it easier for cryptocurrency traders around the world to trade their currency efficiently and effectively.
With the ideas presented at the panel discussion, it is clear that cryptocurrency exchanges are headed in a direction that could guarantee security and increased efficiency. But it is up to other exchanges to join this wave and seek to make their platforms better, too. A safer world of exchange platforms will mean increased credibility for the blockchain world, making it easier for mainstream society to become a part of this revolutionary technology.