Security remains the weak point of the crypto industry: in 2019, hackers stole nearly $ 300 million from crypto exchanges. In response to exchanges, wallets and processors go for radical measures – from large-scale audits to multi-million dollar insurance programs. Especially for ForkLog, BDCenter Digital agency found out how crypto projects protect their users.
What we saw in 2019
Last year, 11 major attacks on crypto exchanges occurred. So, in March, hackers stole $ 105 million from Coinbene; in May – $ 40 million from Binance; and in November – $ 49 million from Upbit. In addition, 450 thousand users have stolen usernames and passwords from the Coinmama broker.
Cryptocurrency market players understand: until the security problem is resolved, you should not wait for the massive spread of cryptocurrencies. And even more so, it makes no sense to wait for large institutional investors to start investing in cryptocurrency if exchanges and wallets are so easy to crack.
A complete security system always involves a set of measures. Search for errors in the code, analysis of business processes, employee training – all these tools help minimize customer risks. Consider three interesting trends in crypto security: audits, the transition to cold storage of funds and insurance.
SOC2 security Audits: Gemini Case
At the end of January 2019, the Gemini exchange underwent a security audit of SOC2 Type 1. Moreover, the company from the Big Four, Deloitte & Touche, acted as the auditor. According to Gemini, the audit took 8 months and once again confirmed that the brainchild of the Winklevoss brothers is the safest cryptoexchange in the world. But what is included in the audit of SOC2?
The Service Organization Control 2 (SOC2) auditing standard was developed in 2011 by the American Institute of Certified Public Accountants (AICPA). The purpose of the audit is to determine how securely the service provider processes user data. This includes protecting the database from unauthorized access, hosting quality, personal data processing policy, etc.
We emphasize that so far only Gemini has passed an audit of the 1st type (Type 1). Its price starts at $ 20,000, and in the traditional business it is widespread.
A higher level audit – SOC2 Type 2 – implies security control over a period, and not just at a specific date. The cost of this procedure is from $ 30,000. Gemini promised to pass this test before the end of 2019, but so far this has not happened.
Project security assessment: expert opinion
Although the SOC2 audit is very prestigious, it covers a limited number of business processes – namely, the processing of customer data. In addition, it is not adapted to the specifics of blockchain technologies. In order to ensure the security of the crypto platform as a whole, highly specialized solutions are needed. Such an assessment of the security of blockchain services is offered by a large company from the field of information security Kaspersky Lab.
It includes in-depth analysis of the web interface code and mobile application, verification of each line of the smart contract, penetration tests, risk analysis of account hijacking and phishing.
Some vulnerabilities may not be so obvious that only a detailed analysis can identify them. The case with the Coinomi wallet is indicative: in February 2019, the user lost the equivalent of $ 70,000 due to the fact that when entering the password in Chrome, the browser checked the spelling of the password through the googleapis.com shared server. Thus, the password was stolen, although Coinomi does not confirm this.
Which type of verification is better to choose – SOC2 or code analysis? Explains the head of Kaspersky Lab’s Blockchain Security, Pavel Pokrovsky:
“SOC2 includes an assessment of business processes and technical solutions for compliance with a clear standard, and here the requirements of the legislation of a particular country play a role. At the same time, SOC2 does not require the company to conduct a one-time or periodic analysis of application security or penetration testing. Thus, it is incorrect to raise the question of choosing between SOC2 or assessing application security. Security assessments or penetration testing can be both a good complement to the SOC2 audit and an independent tool for assessing the level of security. ”
One of the latest projects that successfully passed the security assessment of Kaspersky Lab was the crypto-processing service Cryptoprocessing.com – the first in the world to pass such a level of verification.
The company’s products – a payment gateway and a personal blockchain wallet – include expanded support for fiat currencies. According to Maxim Krupyshev, the company’s CEO, such a service is not a luxury, but a necessity for a b2b provider. In addition, banks working with processing require evidence that the service is safe.
Transition to cold storage
As you know, cryptocurrency wallets are divided into cold and hot. The difference between the two is that the hot wallet is installed on a device connected to the Internet, and the cold one does not. While the wallet is disconnected from the network, hackers can not hack it remotely.
Any crypto-exchange or crypto-processing should keep a certain percentage of funds in hot wallets in order to ensure a normal withdrawal of funds. However, it is hot wallets that constitute the favorite target of attackers. That is how Cryptopia, Binance, Coinbene, Bithumb, BITPoint and UpBit suffered. In the case of the latter, the theft occurred at the time the cryptocurrency was transferred from a hot wallet to a cold one.
Therefore, cryptocurrency companies seek to minimize the share of cryptocurrency in hot warehouses. For example, Cryptoprocessing.com stores 100% of client funds in cold wallets, leaving only its own operational reserves in hot storage to ensure fast payments. It is important to keep a balance in order to avoid delays in mass withdrawal. This happened in July 2017 with Coinbase, when many customers began to withdraw bitcoins on the eve of the Bitcoin Cash fork and the funds on a hot wallet ran out.
Of course, cold wallets are also not without risks. So, in December 2019, the CEO of the IDAX exchange disappeared without a trace – and it turned out that only he had the key to the cold storage. Thus, IDAX users lost access to their money.
Client funds insurance
No audit can give a 100% guarantee that funds will never be stolen. On the one hand, the rapid development of technology allows hackers to invent new tricks. On the other hand, no one has canceled the human factor: for example, the recent hacking of the Upbit exchange may have been organized by one of the employees.
In this context, large players begin to implement funds insurance programs. Even in case of theft, the client will not suffer, because the insurer will compensate the damage. Of course, only large companies can afford such a luxury: the risks in the crypto business are high, and it is expensive to insure them.
Among those who already insure clients money, Coinbase leads. In April 2019, the company announced that funds in its hot wallets were insured for $ 255 million.Although only 2% of customers’ money is stored in hot wallets, they are the most vulnerable to attacks. Insured events include hacker attacks, theft and loss of keys, including as a result of employee actions.
Coinbase’s security director explains on his blog that since the amount of insurance is very large, an agreement is made immediately with a large number of leading insurance companies through the famous broker Aon.
Some companies (for example, BitGo) insure funds on cold wallets. However, you need to understand that funds in a cold storage are at very high risk while the wallet is disconnected from the network. The risk arises when the cryptocurrency is transferred from a hot wallet to a cold one and vice versa, but insurance usually does not cover these situations.
In conclusion: how to be small companies
Few startups can afford an SOC2 audit or a funds insurance program. Are there safety measures that are both effective and inexpensive?
“There are open methodologies for ensuring information security – in particular, the SDLC (Software Development Lifecycle) secure development standard. Based on these recommendations, small projects can choose for themselves the tools that fit their budget, including free open-source solutions, ”says Pavel Pokrovsky.
According to him, services for assessing the security of applications from well-known providers are very popular among small companies.
“The cost of such a safety assessment is quite affordable for startups, because the research area in small projects is much less than in the case of large companies. In addition, startups usually use modern tools and languages for developing and organizing infrastructure, which also simplifies the process of providing services, ”added an expert at Kaspersky Lab.
Crypto security systems are developing simultaneously in several directions, and solutions for any budget are already on the market. The point is small: projects must realize that information security is as important as marketing or attracting investments. As soon as the protection of funds becomes a priority for fintech startups, the crypto industry will finally be able to get rid of its dubious reputation and become a full-fledged segment of the global business.