Regulatory lapses and inadequate levels of security have led to a number of cryptocurrency exchanges falling victim to hackers. Michael Julian, information security officer at Hosho, explains where they are going wrong. Briony Richter reports
Cryptocurrency has become a societal obsession, attracting both supporters and strong critics. Although volatile, digital currencies continue to send shockwaves across the world.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
However, maintaining the security of cryptocurrency is irrelevant if the exchange in which it is stored it is not secure. In September 2018, Japan-based cryptocurrency exchange Zaif admitted that it had been hacked.
Tech Bureau, the parent company behind the Zaif exchange, announced that close to 6,000 Bitcoins, worth around $29m, had been stolen by hackers. Of the $60m stolen, around $19.6m belonged to the exchange; the rest was client money. The latest attack on cryptocurrency exchanges once again brings to light the vulnerabilities of the infrastructure, and the risk investors take when placing trust in them.
Hosho’s Michael Julian offers a clear assessment of where exchanges are going wrong:
“Lack of company focus on cybersecurity – specifically, in this case, improper storage of cryptocurrency funds – is making cyberattacks frequent in the industry. The lack of resources devoted to cybersecurity causes exchanges to have weak network security that, once breached, leads to a loss of funds caused by poor cryptocurrency storage practices that are susceptible to attacks.”
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataThe hacks reveal how the platforms within these cryptocurrency exchanges can be ill-equipped to cope with the volatility of, and unpredictable surges in demand for, cryptocurrency. Hacking can create an immense level of stress on the systems, and their ability to handle extreme volume is yet to be properly tested.
The hack into the Zaif exchange follows a long line of other successful breaches of security. At least five major hacks have occurred so far in 2018 and, to make matters worse, a whole weekend passed before Tech Bureau detected the Zaif hack.
It is believed that the hackers had gained access to Zaif ’s hot wallets, a type of cryptocurrency wallet that is stored online.
“While the method of entry into Zaif ’s network is unclear at this time, it’s likely that Zaif was not following a sound hot/cold wallet policy,” Julian states.
“Given the $59m stored in hot wallets, which is not recommended, either the attacker had already breached the system then waited patiently for the perfect opportunity to withdraw funds – such as a period of extremely high withdrawal requests – or, more likely, there was an internal failure to implement or follow an effective hot/cold wallet-storage strategy.
“To succinctly answer the question, it is likely that this attack was moderately difficult, particularly to infiltrate the network. However, with paydays in double-digit millions, it’s understandable that hackers are extremely motivated to engage at higher levels of expertise,” he adds.
In January 2018, Coincheck, another Japan-based currency exchange, lost a record-breaking $526m to hackers. The exchange had been storing its assets in a hot wallet that Coincheck admitted it had not secured with multi-signature private keys. Multi-signature security requires multiple sign-offs before funds can be transferred; had the platform been in use, the funds would not have been accessible to a single breach.
Although the relevant security protocols are available, the infrastructure in these exchanges often struggles to keep up with the pace.
Hosho capabilities
Hosho aims to drive the potential of blockchain security. With Hosho audits in place, clients can feel at ease that audited smart contracts have been written securely.
Speaking about what Hosho can do to support exchanges, Julian says: “Hosho offers penetration-testing services which, in conjunction with an effective infosec team, will ensure that exchanges have strong perimeter network security.
“Because no system is completely unhackable, it is also important to have an effective cryptocurrency-handling policy. Hosho assists in this domain by auditing existing policies and creating custom policies from scratch in the case of a new exchange entering the market.”
He continues: “Centralised exchanges can be secured through the proper application of sound cryptocurrency-handling policies, effective use of information security teams, and use of third-party auditing firms to perform policy reviews along with frequent penetration testing.
“As witnessed with Bancor, even decentralised exchanges are not immune to poor security implementation. No system, whether centralised or decentralised, is inherently secure. Systems must be designed in a secure manner, eliminating single points of failure. Once implemented, they must be kept up to date, tested and audited to ensure that they remain secure.”
As no security regulations or standards have been determined, Hosho conducts ‘penetration tests’, involving a series of signature tools and techniques to attempt a breach into a client’s system. By doing this, Hosho can discover potential vulnerabilities that could expose a system to damaging hacks. Each issue discovered is reported by Hosho with a Risk Score based on the likelihood of the issue being exploited.
The future is blockchain
The jury is still out on cryptocurrency. In September, the New York attorney general’s office released a report stating that the exchange sector was full of conflicts of interest.
It went further, saying the industry did not do enough to protect investors and prevent damaging breaches. In the UK, similar concerns have been raised by the government. MPs on the UK Government’s Treasury Select Committee have called for cryptocurrencies to be regulated, to protect consumers.
On the future of the cryptocurrency market, Julian highlights:
“While no one can see into the future, we believe that blockchain has the potential to be a globally transformative technology. The ability to rapidly exchange currency worldwide is important to the continued growth from globalisation, and with it the expansion of international trade, ideas and culture.
“It would appear that the exchange of information has advanced at a pace much faster than the international exchange of currency. Cryptocurrency could be the catalyst that can fuel this continued growth, free from the red-tape interference of diplomacy.”
The government has continued to have concerns over the volatile nature of cryptocurrencies. It has the potential for scams and has been used in illegal activities, such as money laundering or funding terrorism.
However, Julian notes that blockchain has the real potential to transform various sectors of society.
He says: “Blockchain technology has the potential to be just as transformative as the automobile, telephone, computer or internet.
“Hosho’s main goal is to work with business leaders, investors and regulators to improve blockchain security, leading the market with innovative tools, products and ideas. Through improvements in security, blockchain will become more trusted in the eyes of the population, allowing more investment, innovation and utilisation, eventually reaching its true potential to change the world as we know it.”
It will take time to become fully accepted across society, however. Julian adds: “Just like the infancy of the internet, the adoption of online payments did not become mainstream until it was deemed to be a secure method. Blockchain technology needs time to mature and become understood by the masses.
“As more resources are thrown into the development of innovative smart contracts and apps, we will see more companies rolling out products using blockchain technology. As long as security is taken seriously, and trust is developed with users and CEOs alike, soon we will see many mainstream technologies adopting blockchain technology.”
The reality is that the world of cryptocurrency and blockchain technology is growing at an exponential rate. To avoid further breaches, exchanges need to focus on securing their infrastructure.
Using Hosho’s security checks enables businesses and exchanges to learn early on where vulnerabilities lie, and how best to fix them. Without a robust platform in place, hacks will continue to plague the cryptocurrency exchange industry.
