User Security In Detail
Cybersecurity is a vital facet to all crypto market operations. It is essential for all individuals and entities buying and selling cryptocurrencies, especially for exchanges, as they are typically custodians of large piles of user funds. Recently the CER team conducted an analysis and issued the second “Top-100 Crypto Exchanges by Cybersecurity Score” report, showing the ranking of the most active trading platforms within a 10 point scale according to recently updated methodology. The Cybersecurity Score (CSS) evaluates a number of parameters including server and user security, along with historical cases and bug bounty availability. The assessment methodology was updated in order to get more versatile results. One of the most substantial changes is related to user security features.
While news of cryptocurrency exchange hacks almost certainly become public, there is very little information regarding the far more frequent thefts from personal accounts. There are lots of ways for hackers to steal user credentials for exchange accounts, including malware, spyware, social engineering, SIM-swapping, etc. However, even if the hackers succeed in gaining access to the account, all of their efforts will be in vain if the exchange has layers of strong user security features and the user has configured them properly.
In this article, we will describe several common user security features available on popular crypto trading platforms. We’ll also give the statistics of their usage, based on our recent cybersecurity score research. Some of them are widely used (captcha, password requirements, 2-factor and SMS authentication), while some are rarely implemented. Let’s look at them in detail.
- 2-Factor Authentication (2FA) also known as Multi-Factor Authentication (MFA) is a method of authorizing a login using two pieces of authentication. The two pieces are usually defined as something the user has (a 2FA app on their phone), and something the user knows (the account password). With 2FA enabled, a hacker would need to steal your 2FA device and your password in order to break into the account. If only one of these factors is compromised the account will remain closed to the intruder. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity, and safely unlock the account. The most common 2FA method is software tokens. It uses a software-generated time-based, one-time passcode (“soft-token”) generated by the specialized application (i.e. Google Authenticator) on your device to complete the login process. 2FA is the most essential cybersecurity feature and it is strongly recommended to enable it in your crypto exchange user accounts, especially when you consider all of the Top-100 trading platforms assessed in our recent research have implemented 2FA.
- CAPTCHA is a special test designed to distinguish between human actions and those performed by computers. It is an acronym that stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Captchas are used as security checks to deter spammers and hackers from using forms on web pages to insert malicious code. Quite simply, end users are asked to perform some task that a software bot cannot do. Tests often involve JPEG or GIF images, because while bots can identify the existence of an image by reading the source code, they cannot tell what the image depicts. The most common form of Captcha is an image of several distorted letters. It’s your job to type the correct series of letters into a form. If your letters match the ones in the distorted image, you pass the test.According to the results of our recent Top-100 exchanges security check, 62% of the platforms have a Captcha in both the sign-up and sign-in processes, 21% are using Captcha in only one procedure, and 17% are not using Captcha at all. (see fig. 1).
Fig 1. Captcha availability on 100 most active crypto exchanges
- Password is the most basic security feature used for accessing protected areas. To protect a user account properly it should be difficult to brute force. Strong passwords should be at least 8 characters long and contain lower and upper case letters, numbers and special symbols. Unfortunately, many people don’t bother to set strong passwords, but instead use the simplest ones, e.g. 123456 or ‘qwerty’, which are much easier to remember, and therefore used by millions of careless users globally. Understanding the natural laziness of human beings crypto exchanges should enforce strict password requirements, however, few do. In our research, when we assessed exchange password requirements, we took into account the required password length and a variety of required symbols such as numbers, letters, upper case, special characters, etc. Moreover, we checked to see if any exchanges allow users to create weak passwords despite their claim of having “tough” requirements. We found that 33% of them are low or absent, 35% – fair, 24% – medium, and only 7% are strong (see fig 2).
Fig 2. Password Requirements on 100 most active crypto exchanges
- SMS Authentication is a kind of 2FA using your cell phone number to receive a one-time passcode via SMS. This feature can be used on top of the aforementioned “software token” 2FA for sign-in, withdrawal, security modifications and other significant actions with a user account. 66% of the assessed crypto exchanges in our recent research provide users with the opportunity to protect their accounts with this extra security feature.
- Pin or trading password (typically 4-6 digits) is usually used to confirm the submission of trade orders. This feature protects from unauthorized trading with the user account even if the API keys or credentials were compromised. According to our research, only 21% of top-100 exchanges have this feature in place.
- Withdrawal pin is a 4-6 digits passcode required for submitting the request to withdraw funds. Hence, even if someone gets access to the user account it won’t be possible to withdraw funds without knowing the withdrawal pin. Unfortunately, only 20% of the top-100 exchanges from our recent research provide this security feature to users.
- IP whitelist is another feature protecting from unauthorized actions with a user account. By adding one or more IP addresses to this list, a user will only be able to place orders or withdraw funds from those particular addresses only. Usually, to add or remove an IP address, a user must have 2FA enabled and provide the authenticator code before submitting any changes. Only 11% of the assessed top-100 exchanges allow users to whitelist IP addresses.
- Withdrawal whitelist is a feature protecting your funds from unauthorized withdrawal even if the account was compromised. Adding a digital currency address or bank account to the withdrawal whitelist will block withdrawal to any other destinations not on this list, while still allowing withdrawal to the whitelisted destinations. In most cases, after adding a new address to the whitelist the exchange notifies the user and automatically blocks the withdrawal for 24 hours. This feature is available only on 6% of assessed top-100 trading platforms.
- Anti-phishing code is an additional security layer helping users to distinguish phishing emails and legitimate emails sent by the exchange. Once the user has enabled the Anti-Phishing Code, it will be included in all genuine emails sent from the exchange. Only 13% of top-100 exchanges provide this extra security feature to the users.
These 9 features were considered in the context of user security assessment of top-100 crypto exchanges in our recent report. Some of them were more common (e.g. 2FA, Captcha and SMS Authentication), but others appeared to be implemented by the smaller percentage of trading platforms (see fig 3).
Fig 3. User Security features availability across 100 most active crypto exchanges
Besides these features, we also accounted for all additional but rarely used security options, e.g. hardware 2FA or withdrawal confirmation phrase. The final results of user security assessment showed only 3 exchanges scoring over 8 points and only one reaching the maximum 10 points. While the average score was 5.75 points, more than half of exchanges scored under 5 points. These statistics are not quite encouraging.
From the user’s perspective, the more security options crypto exchanges provide, the better, as each additional feature raises the security level of funds exponentially. Unfortunately, most trading platforms do not care to provide users with these tools. We hope that as the market evolves crypto exchanges will do the same and implement more security features for their users.
CER as a part of Hacken ecosystem provides an objective rating and certification of crypto exchanges.
Hacken is a cybersecurity ecosystem that ensures the safety of IT companies and digital environments. The company provides complex cybersecurity services and hosts bug bounty programs on HackenProof platform.