54% of cryptocurrency exchanges are insecure, claims research

Over half of the world’s cryptocurrency exchanges have potentially serious security flaws, according to research from ICORating.

In examining 100 exchanges with daily volumes exceeding $1m, analysts found critical holes in account creation and lax security measures elsewhere. These included allowing short passwords that didn’t require alphanumerics (both letters and numbers), allowing users to create accounts without a traceable email address, and across-the-board dodgy domain security.

Binance, the largest exchange by volume, sits in 17th place in the list of most secure, while Zaif, the Japanese exchange recently hacked for 6,000 BTC lies in 89th.

Most – 97% – offer two-factor authentication, though, with 95% requiring email verification to activate accounts. 37% allow passwords that aren’t alphanumeric, however, with four-in-ten allowing passwords with fewer than eight symbols.

There’s much room for improvement, as only 46% of exchanges meet all four of these main security parameters.

Hackers are practical if nothing else. They follow easy money – and it would seem there’s still easy money in exchanges holding vast reserves of digital cash with easily-solvable, gaping holes in their defences.

Exchange hacks have certainly cost customers money and technical errors have caused exchanges to lose their customers’ investments. The fact that the head of Mt.Gox went on trial in Japan for embezzlement in 2015 should serve as a warning to everyone, not least because investor funds were reportedly spent on prostitutes.

Atlas Quantum, a Brazilian exchange with $30m assets under management was hit in August. While bosses claimed no cryptocurrencies were stolen, personal details of 261,000 investors, including email addresses, phone numbers and account balances were leaked and went up for sale on the dark web.

That makes the fact that 32% of exchanges featured in the research also showed console errors in the way their Javascript or CSS code was written especially worrying. While not a critical vulnerability, this can cause malfunctioning web pages. If, for example, users are making online payments this becomes an issue when Javascript code is wrongly formatted.

“In some instances these errors have resulted in data loss,” says the report.

Only 2% of exchanges surveyed used registry lock, which prevents a domain from being deleted, while just one in ten use a DNSSEC protocol extension, which helps stop DNS cache poisoning.

San Francisco’s Coinbase won the plaudits as the most secure exchange in the world, while Kraken and BitMex took second and third place.

The full report is online here.