Eight Weak Links that Make Cryptocurrency Exchanges Vulnerable

Cryptocurrency is all the rage right now. There are currently over 1,600 different cryptocurrencies in circulation with a combined value approaching $350 billion.

The top three cryptocurrencies alone—Bitcoin, Ethereum, and Ripple—are worth more than $210 billion. Cryptocurrency is clearly considered a hot investment by people around the world.

One of the primary attractions of cryptocurrency is its security. However, the security of cryptocurrency is irrelevant if the exchange in which it is stored it is not secure. In this case, there’s a good chance that you will wake up one day and find that all of your cryptocurrency has simply disappeared.

While Blockchain technology, the foundation for cryptocurrency, provides strong security, both cryptocurrency and the exchange that stores your cryptocurrency can be hacked or compromised in a variety of ways.
Compromised Credentials
No matter how much security protects a system, a certain number of users must be authorized to access it. In the case of cryptocurrencies and cryptocurrency exchanges, customers, cryptocurrency owners and cryptocurrency exchange administrators represent relatively easy targets for attackers. Our analysis indicates that the number one cause of crypto exchange hacks is compromised credentials. 

In 2017 alone, compromised credentials led to multiple crypto exchange hacks. In June 2017, personal information, including the names, email addresses, and mobile phone numbers of more than 30,000 customers was compromised when hackers gained access to a Bithumb crypto exchange employee’s personal computer.

The attackers were able to steal tens of thousands of dollars of cryptocurrency as well. Hackers were also able to compromise the credentials of a system engineer to gain access to NiceHash and steal about $75 million.

Social Engineering Attacks
Attackers know that the weakest links in any computer security system are human beings. Social engineering attacks can provide attackers with the information they need to access a cryptocurrency exchange.

A spear phishing attack in 2015 resulted in the theft of $5 million from Bitstamp, after an administrator for the crypto exchange opened a malicious file.

Cryptocurrency Code Vulnerabilities
No code is invulnerable. The code underlying a cryptocurrency exchange can contain vulnerabilities that can be exploited to hack transactions. 

In 2016, thieves were able to exploit a loophole in the code for a decentralized autonomous organization, or DAO, and steal cryptocurrency. The DAO had been created as a decentralized investment fund, with each contributor having a weighted vote as to how the funds would be invested. The premise of the DAO was that managing transactions via code eliminated the need to trust humans to perform the transactions and the distributed nature of the system would also prevent any individual from stealing the money. Attackers were able to exploit a flaw in how the code processed transactions to siphon off $50 million worth of Ethereum. 

Test Accounts in Production Environment
Test accounts are common in any development environment. Developers use accounts with a variety of permissions and access privileges to test code and verify that everything works the way it should. But test accounts can be an Achilles heel for a cryptocurrency exchange. They are neither closely managed nor monitored and can allow an attacker to access a network. 

Following established best practices, test accounts should only exist in a test or staging environment. Such accounts should never be used in a production environment. If for some reason a test account must be used in a production environment, the account should have only the minimal level of privileges and access required for basic performance and functionality testing. Periodic audits of the production environment should identify and remove any rogue test accounts. 

Lack of Separation of Duties
Another best practice is to ensure separation of duties and implement the practice of “least privileged access” for accounts. Crypto exchanges should include a closely monitored process that allows developers to access production systems only as needed, such as in an emergency.

Poor Account Management and Hygiene
When a cryptocurrency exchange does not manage account hygiene effectively, the attack surface is expanded unnecessarily and the exchange is exposed to attack. Along with restricting test account access in a production environment and ensuring proper separation of duties for different roles, it is important that the crypto exchange exercise basic account management best practices.

Transaction Malleability
The foundation for the security of cryptocurrency—Blockchain technology--is that transactions are immutable—they cannot be changed. One of the largest cryptocurrency exchange heists in history was the result of transaction malleability when attackers discovered that they could change the transaction ID before the transaction was closed and thereby divert funds to a different account. In 2014, hackers used this loophole to divert nearly $500 million in funds from the Mt. Gox crypto exchange.

Lack of Hot Wallet Protection
Cryptocurrency exchange servers and storage networks maintain live pools of digital currency, called hot wallets. The cryptocurrency in a hot wallet should be encrypted and secure, but if the hot wallet itself is not protected properly or lacks sufficient security controls, the cryptocurrency in it is vulnerable to theft.

The hot wallet should be secured using multi-signature private keys, providing distributed security and ensuring that a single key cannot gain access. In January of 2018, hackers stole a record $530 million from Coincheck: multi-signature keys were not used, and the hackers obtained a single private key that allowed them to unlock the hot wallet. 

Secure the Cryptocurrency Exchange
The explosion of cryptocurrency and the billions of dollars pouring into it make it a very attractive target for cybercriminals. Blockchain technology has many benefits—one of which is security.

However, there is always a weak link somewhere. These examples illustrate that even though cryptocurrency itself might be secure, the cryptocurrency exchanges that process transactions and store digital currency can be vulnerable to potential hacks and to theft.

What’s Hot on Infosecurity Magazine?