[2018-10-05]54% of Analyzed Crypto Exchanges Fail to Satisfy Proper Security Req

[Vladdirescu87]

54% of Analyzed Crypto Exchanges Fail to Satisfy Proper Security Requirements

According to research conducted by ICORating, only 46% of the digital currency exchanges examined met certain parameters necessary to maintain security and immunity of the platform. Moreover, during the last 8 years, $1.3 billion was stolen as a result of crypto exchange hacks.

Read the details in the article of Coinidol dot com, the world blockchain news outlet: https://coinidol.com/crypto-exchanges-fail-to-satisfy-proper-security-requirements/

[1713973171]

1713973171

[1713973171]

1713973171

[1713973171]

1713973171

[gentlemand]

'They include code errors, web protocol security, user account security, and registrar and domain security.'

So it doesn't go in to what's happening inside the exchanges which is the more important bit. Coincheck kept ALL of their XEM in one hot wallet waiting to be tapped by any passerby. Okcoin/Okex used to keep all their backups in the CEO's girlfriend's grandmother's cupboard, that's when they weren't putting customer funds into bullshit investment schemes.

It looks like many hacks could be prevented with some common sense and attention. Not too many places can be bothered. Coincheck in particular lost hundreds of millions of their own dollars and they could've prevented that by bothering to implement multisig which is free and built into the XEM protocol.

[Kemarit]

~ snip ~

Another more recent hacks, Japanese crypto exchanges Zaif, which didn't take care of their hot wallets. But its really a blunder on their part as we all know that it can be breached anytime because its always online. Just a simple implementation like using cold wallets could have prevented it. Hackers are really very smart and like I say they're always one step of the game. The primary responsibility of exchanges is to really tighten up because is going to be a continued mouse-and-cat game out there.

[1Referee]

Just a simple implementation like using cold wallets could have prevented it. Hackers are really very smart and like I say they're always one step of the game. The primary responsibility of exchanges is to really tighten up because is going to be a continued mouse-and-cat game out there.

I like what Bitmex is doing, they don't use hot wallets at all; all they do is process withdrawals manually once a day and that's it. It means less convenience, but more security, so what are exchanges waiting for? I would even like it to become an industry standard amongst top tier exchanges that hot wallets no longer exist, and who knowns, maybe it will become an actual requirement on regulatory level.

The only risk left is that the exchange itself will run off with the funds, but that's highly unlikely in an environment where most of the funds are known to belong to exchange X or Y. We will never be able to eliminate risks entirely, but we can instantly book a massive improvement in security. I think that's more than enough to give traders and investors a peace of mind.

[maryvale]

That's why I never store coins at exchanges, they are simply too risky. They can be used for occasionally trades, but after it better to transfer coins back to your own storage.

[hotforblockchain]

This is something that have dazzled my for while now , periodically we hear that another  100 thousand or million solar exchange hack but it seems that it does not make the security measures better in other exchanges.
I do not understand how can they be so careless about this absolutely vital aspect of their business.

I wonder if this report included those small exchanges with only 10s of thousands of dollar volume which in my opinion are not relevant.

[figmentofmyass]

'They include code errors, web protocol security, user account security, and registrar and domain security.'

So it doesn't go in to what's happening inside the exchanges which is the more important bit. Coincheck kept ALL of their XEM in one hot wallet waiting to be tapped by any passerby. Okcoin/Okex used to keep all their backups in the CEO's girlfriend's grandmother's cupboard, that's when they weren't putting customer funds into bullshit investment schemes.

It looks like many hacks could be prevented with some common sense and attention. Not too many places can be bothered. Coincheck in particular lost hundreds of millions of their own dollars and they could've prevented that by bothering to implement multisig which is free and built into the XEM protocol.

bitfinex essentially used to leave all customer BTC in a hot wallet too. as the story goes, giancarlo got tired of being woke up in the middle of the night to refill the hot wallet. so they developed the bitgo multi-factor system where they kept all keys (bitcoin and bitgo API) online.

and poof, there goes 120k bitcoins.

we should be thinking of amounts in bitcoins, not dollars. at today's valuation, the bitfinex hack was markedly worse than coincheck. and it makes zaif look like a non-event.

[gentlemand]

bitfinex essentially used to leave all customer BTC in a hot wallet too. as the story goes, giancarlo got tired of being woke up in the middle of the night to refill the hot wallet. so they developed the bitgo multi-factor system where they kept all keys (bitcoin and bitgo API) online.

and poof, there goes 120k bitcoins.

we should be thinking of amounts in bitcoins, not dollars. at today's valuation, the bitfinex hack was markedly worse than coincheck. and it makes zaif look like a non-event.

That's the first time I've heard that detail about Bitfinex. They could've employed some gimp to do the refills but he probably would've stolen it all instead. Rather usefully for BFX, everyone but them paid for their laziness and incompetence.

Coincheck's XEM balance consisted of about 10-15% of the entire circulating supply. I don't think I'd enjoy seeing someone attempting to offload that proportion of BTC. If I remember rightly the hacker finished up by posting a photo of Kim Jong Un throwing dollar bills at the camera.

Ultimately Coincheck fucked themselves, the XEM price and nothing else. Their customers only held something like 10% of the stolen coins and they got paid back.

[Rahar02]

I like what Bitmex is doing, they don't use hot wallets at all; all they do is process withdrawals manually once a day and that's it. It means less convenience, but more security, so what are exchanges waiting for?

Yeah, it would work great for people who look for a better security, but not for those who want to trade instantly and intensely, deposit and withdraw as fast as possible.
Keep the majority of coins on cold storage and constantly refill the hot wallet for the daily transactions still a good decision for some exchanges, I would go for it as well.
Nevertheless, it's a hard work as the war against intruders and hackers takes place every day, so exchanges have to do maintenance periodically.

bitfinex essentially used to leave all customer BTC in a hot wallet too. as the story goes, giancarlo got tired of being woke up in the middle of the night to refill the hot wallet. so they developed the bitgo multi-factor system where they kept all keys (bitcoin and bitgo API) online.

and poof, there goes 120k bitcoins.

That's the first time I've heard that detail about Bitfinex. They could've employed some gimp to do the refills ~

That's rude my friend, pardon me, even for gimp can run away with all of the bitcoins if he want to.
The hardest thing in business is finding trustworthy people, so the best option is your family, brothers, sisters, or wife. But make sure you have a good relationship with them.

[milewilda]

I like what Bitmex is doing, they don't use hot wallets at all; all they do is process withdrawals manually once a day and that's it. It means less convenience, but more security, so what are exchanges waiting for?

Yeah, it would work great for people who look for a better security, but not for those who want to trade instantly and intensely, deposit and withdraw as fast as possible.
Keep the majority of coins on cold storage and constantly refill the hot wallet for the daily transactions still a good decision for some exchanges, I would go for it as well.
Nevertheless, it's a hard work as the war against intruders and hackers takes place every day, so exchanges have to do maintenance periodically.

Anything do really have drawbacks its more secure but less convenient,some would prefer but most people or trader would tend to risk just for the sake of convenience which
you have said where they can able to make trades instantly without the hassle on withdrawing and depositing funds anytime they do saw an opportunity.
One thing on my mind on how they did actually perform such test on each exchange to get that percentage.

[1Referee]

Yeah, it would work great for people who look for a better security, but not for those who want to trade instantly and intensely, deposit and withdraw as fast as possible.

I can see why people prefer fast withdrawals, but the funny thing is that most of the users victim of a hacked exchange blame the same exchange they praised for its convenience, and the main reason of blame is that the exchange has way too many coins in its hot wallets. If an exchange shrinks down its hot wallets people complain about slow withdrawals, and when an exchange tries to fill up its hot wallets sufficiently it's wrong again.

In other words, whatever an exchange does, it's wrong. It's better to do "wrong" and get rid of instant withdrawals entirely and prevent hacks, than to do "wrong" by letting people withdraw any amount in an instant with the risk of getting hacked, which happens frequently enough.

[Rahar02]

~
In other words, whatever an exchange does, it's wrong. It's better to do "wrong" and get rid of instant withdrawals entirely and prevent hacks, than to do "wrong" by letting people withdraw any amount in an instant with the risk of getting hacked, which happens frequently enough.

If an exchange get hacked and I lose coins/funds, is it the exchange fault? Yes. But 100% their fault? No, as I choose to deposit on that exchange.
I would say it's a gamble; to put money or coins on the exchange until we withdraw it. Yes, the most secure is to keep ours on cold storage, off the grid, and then sometimes we have to trade on exchanges, right? But everyone should aware if they deal with exchanges there is a chance to lose it all, it's part of the risk.

[Thekool1s]

@Rahar02 @1Referee The easiest solution to satisfy both kinds of customers would be to run two subdomains. E.g hot.Bitfinex.com and cold.bitfinex.com where on "hot" You could withdraw instantly but would know the risk that is involved. As for users who want to play safe, They could use "cold" which would process the withdrawals manually. If you ask me these exchanges should partner up and build a bunker of sorts. Where they would store/create their cold wallets. I am sure these exchanges are making millions they surely can spend a couple of hundred thousand dollars on a bunker. This would ensure almost 0% risk for the high rollers/whales. I am surprised why no one has thought of something like this before. I guess scamming people is more profitable than running a sustainble business. 

[1Referee]

If an exchange get hacked and I lose coins/funds, is it the exchange fault? Yes. But 100% their fault? No, as I choose to deposit on that exchange.
I would say it's a gamble; to put money or coins on the exchange until we withdraw it. Yes, the most secure is to keep ours on cold storage, off the grid, and then sometimes we have to trade on exchanges, right? But everyone should aware if they deal with exchanges there is a chance to lose it all, it's part of the risk.

I wish more people were accepting the risks they expose themselves like you do. 

The easiest solution to satisfy both kinds of customers would be to run two subdomains. E.g hot.Bitfinex.com and cold.bitfinex.com where on "hot" You could withdraw instantly but would know the risk that is involved. As for users who want to play safe, They could use "cold" which would process the withdrawals manually.

Not sure if that's actually a solution. In case an exchange gets hacked, they tend to 'socialize' the losses, which means that even the traders using the 'cold' side of the platform will be affected.

If you ask me these exchanges should partner up and build a bunker of sorts. Where they would store/create their cold wallets. I am sure these exchanges are making millions they surely can spend a couple of hundred thousand dollars on a bunker. This would ensure almost 0% risk for the high rollers/whales. I am surprised why no one has thought of something like this before. I guess scamming people is more profitable than running a sustainble business. 

Xapo is storing around $8 billion worth of Bitcoin in bunkers, so it's definitely possible.

Coinbase for example generates its private keys in tents (read) that it pops up in different locations, all to avoid situations where ill minded entities will set up hardware in an attempt to compromise the data signals. I'm certain that their main cold wallets are distributed amongst the top employees, and they all have it stored either at home, or in a bank vault or something.

[Thekool1s]

Not sure if that's actually a solution. In case an exchange gets hacked, they tend to 'socialize' the losses, which means that even the traders using the 'cold' side of the platform will be affected.

But with doing something like coinbase's tents. They won't have an excuse. The 'cold' side will ensure things like creating private keys in a "total offline" condition. I mean, I am not surprised that coinbase hasn't been hacked so far. That article was an excellent read. It makes total sense to me to take extra precautions like they do and should be industry standard if you ask me. I mean I kind of blame the users too for using these random exchanges who don't take their security seriously. I would gladly pay an additional 1% fee if that will mean my coins will be held safe in a "Bank like bunker".