Bitcoin Exchanges and Cybersecurity Trends: Can Audit and Insurance Safeguard Your Money
Posted on 03-06-2020.
The crypto industry historically suffers from security issues. In 2019 alone hackers stole nearly $300 million from crypto exchanges. Exchanges, wallets, and payment processors have to respond with radical measures from large-scale audits to multi-million dollar insurance programs. In this piece, BDCenter Digital helps us explain how crypto projects protect their users.
Last year, 11 major attacks on crypto exchanges occurred. In March, hackers stole $105 million from Coinbene; in May, $40 million were stolen from Binance; and in November Upbit lost $49 million. 450,000 usernames and passwords were leaked from the Coinmama broker.
One thing is clear: until these dire security deficiencies are resolved, mass adoption is not happening. Moreover, large institutional investors will continue avoiding cryptocurrency if exchanges and wallets are so easy to breach.
A holistic security system always involves a large set of measures. Searching for errors in the code, analyzing business processes, training employees—all these steps help minimize customer risks. In this article, we shall explore three main trends in crypto security: audits, cold storage, and insurance.
SOC2 Audits: The Gemini Case
At the end of January 2019, the Gemini exchange underwent
a Type 1 SOC2 security audit. The audit was carried out by Deloitte & Touche, the Big Four company. According to Gemini, the audit took 8 months and confirmed that Gemini is the safest crypto exchange in the world. But what does the SOC2 audit imply?
The Service Organization Control 2 (SOC2) auditing standard was developed in 2011 by the American Institute of Certified Public Accountants (AICPA). The purpose of the audit is to determine how securely the service provider processes user data. This includes the level of database protection from unauthorized access, hosting quality, personal data processing policy, etc.
So far Gemini is the only exchange that passed a Type 1 audit. Its price starts at $20,000, and it is quite widespread in the traditional business world.
A higher level audit (SOC2 Type 2
) implies security assessment over a period of time, and not just at a specific date. This procedure’s price starts at $30,000. Gemini planned to pass this test before the end of 2019, but so far this has not happened.
Project Security Assessment: Expert Take
Although the SOC2 audit is very prestigious, it covers a limited number of business processes. Namely, the processing of customer data. It is also not tailored to the specifics of blockchain technologies. In order to ensure the security of the crypto platform, highly specialized solutions are needed. Such services are offered by a well-known cybersecurity company Kaspersky Lab.
Kaspersky Lab’s audit includes an in-depth analysis of the web interface’s and mobile app’s code, verification of smart contracts line by line, penetration tests, risk analysis of account hijacking and phishing.
Some vulnerabilities may not be so obvious and only a detailed analysis can identify them. The case
with the Coinomi wallet is indicative of this. In February 2019 a user lost $70,000 due to the fact that when entering the password in Chrome, the browser checked the spelling of the password through the googleapis.com shared server. This led to the password being stolen, although Coinomi does not confirm this.
Which type of audit is better, SOC2 or code analysis? The head of Kaspersky Lab’s Blockchain Security, Pavel Pokrovsky, offered his opinion:
“SOC2 includes an assessment of business processes and technical solutions for compliance with a clear standard, and here the requirements of the legislation of a particular country play a role. At the same time, SOC2 does not require the company to conduct a one-time or periodic analysis of application security or penetration testing. It makes little sense to juxtapose SOC2 with assessing application security. Security assessments or penetration testing can be both a good complement to the SOC2 audit and an independent tool for assessing the level of security.”
One of the most recent projects that successfully passed the security assessment of Kaspersky Lab was the crypto-processing service Cryptoprocessing.com.
The company's products—payment gateway and a personal blockchain wallet—include extended support for fiat currencies. According to Maxim Krupyshev, the company's CEO, such a service is not a luxury, but a necessity for a b2b provider. Not to mention that banks working with processing services require evidence that the service is safe.
Switching to Cold Storage
There are hot and cold cryptocurrency wallets. The difference between the two is that the hot wallet is installed on a device connected to the Internet, and the cold wallet is stored offline. While the wallet is disconnected from the Internet, hackers can not hack it remotely.
Any crypto-exchange or crypto-processing service keeps a certain percentage of funds in hot wallets in order to ensure a normal withdrawal of funds. Hot wallets are the hackers’ favored target. Cryptopia, Binance, Coinbene, Bithumb, BITPoint, and UpBit all had their hot wallets hacked into. In the case of the latter, the theft occurred at the time the cryptocurrency was transferred from a hot wallet to a cold one. Today cryptocurrency companies seek to minimize the share of cryptocurrency in the hot wallets.
Of course, cold wallets are also not impervious. In December 2019, the CEO of the IDAX exchange disappeared
without a trace and it turned out he was the only person who had the key to the cold storage. All IDAX users lost access to their money.
Customer Funds Insurance
No audit can give a 100% guarantee that funds will never be stolen. On the one hand, the rapid development of technology allows hackers to invent new tricks. On the other hand, there is always the human factor. For example, the recent hacking of the Upbit exchange may have been organized
by one of the employees.
In this context, large platforms begin implementing funds insurance programs. Even in the case of theft, the client will not suffer, because the insurer will recompense the damage. Of course, only large companies can afford such a luxury as the risks in the crypto business are high, and it is expensive to insure them.
Coinbase can be named the leader among those who already insure clients’ money. In April 2019, the company announced
that funds in its hot wallets were insured for $255 million. Although only 2% of customers' money is stored on hot wallets, they are most vulnerable to the attacks. Insured events include hacker attacks, as well as theft and loss of keys.
Coinbase’s Chief Information Security Officer explains
on his blog that since the amount of insurance is very large, an agreement is made simultaneously with a large number of leading insurance companies through the famous broker Aon.
Some companies (like BitGo) insure funds on cold wallets. However, funds in cold storage are at very low risk while the wallet is disconnected from the network. The risk arises when the cryptocurrency is transferred from a hot wallet to a cold one and vice versa, but insurance usually does not cover these situations.
In Conclusion: What to Do if You Are a Small Company
Few startups can afford a SOC2 audit or a funds insurance program. Are there safety measures that are both effective and inexpensive?
“There are open methodologies for ensuring information security. In particular, the SDLC (Software Development Lifecycle) secure development standard. Based on its recommendations, small projects can choose for themselves the tools that fit their budget, including free open-source solutions,” says Pavel Pokrovsky of Kaspersky Labs.
According to Pavel, services for assessing the security of applications from well-known providers are very popular among small companies.
“The cost of such a safety assessment is quite affordable for startups because the research area in small projects is much smaller than in the case of large companies. In addition, startups usually use modern tools and languages for developing and organizing infrastructure, which also simplifies the process of providing services,” added Pavel Pokrovsky.
Crypto security systems are developing simultaneously in several directions, and solutions for any budget are already present on the market. Startups will have to realize that information security is as important as marketing or attracting investments. As soon as the protection of funds becomes a priority for fintech startups, the crypto industry will finally be able to get rid of its dubious reputation and become a full-fledged segment of the global market.
Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.