Title: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: DubemIfedigbo001 on November 11, 2023, 10:28:50 PM Having researched considerably about some hacks on exchanges and crypto enabled website, I learned that most of the hacks occurred as a result of some loop holes either in their verification methods, transaction processes and in rare cases, unresolved and unterminated deprecated coins existence. One thing however was common in all the hacks, the funds were moved by the scammer initiating concurrent withdrawals involving large unusual sums of money which was not checkmated nor did it prompt for further verifications before coins were released.
I have a few suggestions I think can be of help
These are just my security suggestions that I believe can help curb these hacks. All corrections and validations are welcome. Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: bitmover on November 11, 2023, 10:42:17 PM The best suggestion of all is basically not to keep money in exchanges.
Make transfers when you want to sell or to buy. Do not keep your money in exchanges. They are not as safe as they look like Exchanges are a big attack vector, many hackers will always be trying to log into them, and some always find out how to get some money There are also other kinds of risks, such as exchanges going bankrupt such as ftx. Also regulatory risks, which may force exchanges to frozen your funds due to your nationally or kyc requirements Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: DubemIfedigbo001 on November 11, 2023, 10:48:42 PM The best suggestion of all is basically not to keep money in exchanges. Yeah, definitely, its never safe to keep funds in exchanges cos of its centralized nature and all these risks rightly pointed out above. I'm only suggesting security measures they can take to secure their own businesses and websites that accept crypto for maybe purchases, gambling, e.t.c can employ to curb hacking into their sites and making heavy withdrawals that affect their portfolio significantly.Make transfers when you want to sell or to buy. Do not keep your money in exchanges. They are not as safe as they look like Exchanges are a big attack vector, many hackers will always be trying to log into them, and some always find out how to get some money There are also other kinds of risks, such as exchanges going bankrupt such as ftx. Also regulatory risks, which may force exchanges to frozen your funds due to your nationally or kyc requirements Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: philipma1957 on November 15, 2023, 12:52:26 AM Having researched considerably about some hacks on exchanges and crypto enabled website, I learned that most of the hacks occurred as a result of some loop holes either in their verification methods, transaction processes and in rare cases, unresolved and unterminated deprecated coins existence. One thing however was common in all the hacks, the funds were moved by the scammer initiating concurrent withdrawals involving large unusual sums of money which was not checkmated nor did it prompt for further verifications before coins were released. I have a few suggestions I think can be of help
These are just my security suggestions that I believe can help curb these hacks. All corrections and validations are welcome. many hacks are inside jobs. I had a dead solid hack of my coinbase account. Because my cell phone company had a major inside job attack. The people got into my account viewed the holdings in it and were attempting to pull out the btc in it. They were stopped because my 2fa was not done via the cell phone that was hacked. They still were able to put in six digit codes as a guess which gave them a one in one million shot at guessing the code. I was not able to shut them out for about three hours time then made 2 attempts every hour with random six digit codes, they got to make eight tries so 8/1000000 shot at my coin If I did not have a really good 2fa with nothing to do with my cellphone that wasmhacked they would have grabbed my coin. Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: pooya87 on November 15, 2023, 05:23:45 AM Considering that the biggest scams were when the exchange itself gets hacked and everyone loses their money, the solution to that is not using CEX in first place and using DEX instead.
concurrent withdrawals should have a 10 - 20 minutes interval. This will give the developers the time to check properly the transactions and authenticate it automatically of it passes security verification. The check can be automated to curb excess delay The only way to process withdrawals is automatic, it is impossible to do them by hand unless the exchange has a handful of users. Any delays added to withdrawals is only worsening user experience and pushes customers away.Quote There should be an amount of withdrawal which should trigger strict security verification. The withdrawal can be permitted when the check is complete. Users can be notified of its security importance Requiring 2FA on all withdrawals is enough security.Quote The system should log out users after 5-10 minutes of inactivity or if focus is changed to another application. This will apply even to the primary login device. That is terrible for an exchange since users would leave the page open and idle at some point when trading.Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: BlackHatCoiner on November 15, 2023, 03:02:36 PM These are just my security suggestions that I believe can help curb these hacks. All corrections and validations are welcome. Or, you know: don't trust third parties with bitcoin when there are decentralized, more secure alternatives like Bisq. Do not keep your money in exchanges. Do not use these exchanges in the first place. You don't have to worry about them being target for attacks then. Switch to DEX. And security is just one of the many advantages you will gain. Then, there is lack of KYC, better privacy, nobody can censor you and the like. Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: DaveF on November 15, 2023, 03:22:20 PM You are discussing 2 different types of hacks
One where the exchange is hacked. The other where the customer has some kind of hack / compromise. For the client side there are a few methods that can be taken, but they all have their own issues. I would like to see the option for having a 48 hour hold on withdraws over a certain amount. Step 1 initiate the withdraw. Step 2 at least 24 hours later you have to put in the address where you want the coins sent. (with some 2fa) Step 3 at least 24 hours after that but no more then 48 hours you have to approve it. (with a different 2fa then from step 2) For small amounts it's fine, whatever, but much like taking cash out of an ATM, you have limits and if you want more you have to go into the bank. For the actual hacks on the exchange. It's really simple, all deposits go immediately into a 3 of 5 multisig wallet. Period. The hot wallet for withdraw never has more then X hours on average of withdraws in it. The cold wallets can ONLY fill 1 address for the hot wallet so even if you get 3 of the multisigs it's hard coded to only send the funds to hot wallet address so you would also have to get access to the hot wallet if you got access to the cold. -Dave Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: NotATether on November 16, 2023, 09:24:06 AM
Quote
Quote
Quote
You're overthinking things, if you have a compliance team, they should already be monitoring who's logging in to your account and what addresses are being withdrawn to. A holding period like what Binance does would also solve this problem. Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: Synchronice on November 16, 2023, 11:24:55 AM
The best suggestion of all is basically not to keep money in exchanges. This is simple and plain answer to all the problems and questions. Bitcoin was meant to be decentralized currency that would help people to get rid of 3rd parties instead of involving 3rd parties. It was created for you to be your own bank, not to rely on 3rd party to manage your wallet and coins. Just use it what it was created for.Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: Myleschetty on November 16, 2023, 11:40:45 AM The best suggestion of all is basically not to keep money in exchanges. Sadly. What you said is correct but people don't always listen until they lose their funds especially those that trusted Binance SAFU.Make transfers when you want to sell or to buy. Do not keep your money in exchanges. They are not as safe as they look like Considering that the biggest scams were when the exchange itself gets hacked and everyone loses their money, the solution to that is not using CEX in first place and using DEX instead. However, using DEX is also not totally safe if the user does not disable the access or permission granted to the DEX when using it.Another thing is smart contract vulnerabilities. Some DEX provides their service using smart contracts and if there's a vulnerability in the DEX smart contract bad actors can use it to steal crypto. Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: bitmover on November 16, 2023, 07:23:54 PM Considering that the biggest scams were when the exchange itself gets hacked and everyone loses their money, the solution to that is not using CEX in first place and using DEX instead. However, using DEX is also not totally safe if the user does not disable the access or permission granted to the DEX when using it.Another thing is smart contract vulnerabilities. Some DEX provides their service using smart contracts and if there's a vulnerability in the DEX smart contract bad actors can use it to steal crypto. Those problems are usually related to liquidity providers, i.e., investors who lend money to the DEX smartcontract to receive some money from their coins, which usually have high APR. People who just make trades in DEX are in a safer side, usually. Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: BlackHatCoiner on November 16, 2023, 07:37:45 PM I think probably only the inactivity part is achievable as a browser tab has no way of knowing whether it is focused or not. There is this: https://developer.mozilla.org/en-US/docs/Web/API/Page_Visibility_API. I just thought of it this way: When a YouTube video plays in a focused tab, once it ends it stays there and waits for you to make another request. When the same happens but the page is not focused, it automatically plays the next video. Those problems are usually related to liquidity providers, i.e., investors who lend money to the DEX smartcontract to receive some money from their coins, which usually have high APR. I don't get that. If there isn't a lot of liquidity, then there is less competition waiting to be exploited. In Bisq for instance, there aren't investors. People just create buy and sell orders. What's wrong with that?Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: bitmover on November 16, 2023, 10:49:48 PM Those problems are usually related to liquidity providers, i.e., investors who lend money to the DEX smartcontract to receive some money from their coins, which usually have high APR. I don't get that. If there isn't a lot of liquidity, then there is less competition waiting to be exploited. In Bisq for instance, there aren't investors. People just create buy and sell orders. What's wrong with that?There is nothing wrong with Bisq Myleschetty was talking about smartcontracts vulnerabilities. He is probably talking about millions of funds who were stolen in the past years in the dex ecosystem, most of them stolen from liquidity providers They are people who lend money to dex protocols (altcoin related, mostly, as dex have far more volume in altcoins). Without liquidity providers, the spread (difference of price between cex and dex) would be enormous and nobody would use those dex Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: pooya87 on November 17, 2023, 04:19:26 AM Considering that the biggest scams were when the exchange itself gets hacked and everyone loses their money, the solution to that is not using CEX in first place and using DEX instead. However, using DEX is also not totally safe if the user does not disable the access or permission granted to the DEX when using it.Another thing is smart contract vulnerabilities. Some DEX provides their service using smart contracts and if there's a vulnerability in the DEX smart contract bad actors can use it to steal crypto. I wouldn't call what you have in mind DEX. These are basically "token swap platforms" where you can only swap different shittokens with each other. They have much worse vulnerabilities than what is inherited from the token's contract, since they are sometimes written by incompetent developers and are not popular enough to attract any kind of contributor to help improve the tool.Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: Myleschetty on November 18, 2023, 10:01:35 PM Considering that the biggest scams were when the exchange itself gets hacked and everyone loses their money, the solution to that is not using CEX in first place and using DEX instead. However, using DEX is also not totally safe if the user does not disable the access or permission granted to the DEX when using it.Another thing is smart contract vulnerabilities. Some DEX provides their service using smart contracts and if there's a vulnerability in the DEX smart contract bad actors can use it to steal crypto. Those problems are usually related to liquidity providers, i.e., investors who lend money to the DEX smartcontract to receive some money from their coins, which usually have high APR. People who just make trades in DEX are in a safer side, usually. There are some DEX that have smart contract vulnerabilities. Considering that the biggest scams were when the exchange itself gets hacked and everyone loses their money, the solution to that is not using CEX in first place and using DEX instead. However, using DEX is also not totally safe if the user does not disable the access or permission granted to the DEX when using it.Another thing is smart contract vulnerabilities. Some DEX provides their service using smart contracts and if there's a vulnerability in the DEX smart contract bad actors can use it to steal crypto. I wouldn't call what you have in mind DEX. These are basically "token swap platforms" where you can only swap different shittokens with each other. They have much worse vulnerabilities than what is inherited from the token's contract, since they are sometimes written by incompetent developers and are not popular enough to attract any kind of contributor to help improve the tool.Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: pooya87 on November 19, 2023, 04:43:21 AM Bisq is the only secure DEX for Bitcoin but that doesnt mean the DEX for altcoins are not DEX. That's true, technically if they are decentralized they can be categorized as DEX but my point is that they are very limited in sense of what an exchange has to be offering. Usually in such platforms you can only swap tokens from a single token-platform like only be able to swap Ethereum tokens with other Ethereum tokens and there is no option to "exchange" them for bitcoin, litecoin, etc. That is why I prefer the term "token swap platforms" for these things instead of DEX.Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: BlackBoss_ on November 22, 2023, 02:33:39 AM concurrent withdrawals should have a 10 - 20 minutes interval. This will give the developers the time to check properly the transactions and authenticate it automatically of it passes security verification. The check can be automated to curb excess delay Exchanges always check your account activities, log in, what address you are submitting to withdraw your coin to and more like geolocation of your IP address, before approve your Withdrawal request.About the interval of 10 or 20 minutes, do you mean it is for withdrawal through Bitcoin blockchain? Centralized exchanges have to use high fee rates that are at tip of mempools to make sure their on-chain transaction proceeded for user withdrawals will be confirmed in a next block. Sometimes, it does not work if mempools suddenly become overloaded or congested but usually their high fee rates are enough to get a confirmation within next one block. Your suggestion is not make sense, about waiting time for an on-chain confirmation. If the suggestion is for exchange approval on user withdrawal request only, not yet to a next step: proceeding a batch transaction for many users, it does not make sense too. Taking 10 minutes to 20 minutes, just to approve a withdrawal request is terrible as a service. Exchanges do have their automatic mechanisms to check those request, then approve or disapprove it. I guess only suspicious cases will have to go through manual process. Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: NotATether on November 24, 2023, 05:23:06 AM I think probably only the inactivity part is achievable as a browser tab has no way of knowing whether it is focused or not. There is this: https://developer.mozilla.org/en-US/docs/Web/API/Page_Visibility_API. I just thought of it this way: When a YouTube video plays in a focused tab, once it ends it stays there and waits for you to make another request. When the same happens but the page is not focused, it automatically plays the next video. OK, but nobody uses that for authentication. That will just annoy the user. What if while they are using the site they get a push notification from their email tab, and then they switch tabs to read the email for a few minutes? Or if they are on a mobile device and briefly switch apps? When you also take into account that there are likely captchas and 2FA on the login page, it starts to get cumbersome for people to use the site. Title: Re: Extra layers of security to prevent hacks on crypto transaction sites & exchange Post by: Agbe on November 24, 2023, 05:58:47 AM
|