Security remains a weak pointcrypto industry: in 2019, hackers stole nearly $ 300 million from crypto exchanges. In response, exchanges, wallets and processors go for radical measures - from large-scale audits to multi-million dollar insurance programs. Especially for ForkLog, BDCenter Digital agency found out how crypto projects protect their users.
Last year, 11 major attacks oncryptocurrency exchanges. So, in March, hackers stole $ 105 million from Coinbene; in May - $ 40 million from Binance; and in November - $ 49 million from Upbit. In addition, 450 thousand users have stolen usernames and passwords from the Coinmama broker.
Crypto market players understand: until the security problem is resolved, you should not wait for the mass distribution of cryptocurrencies. And even more so, it makes no sense to wait for large institutional investors to start investing in cryptocurrency if exchanges and wallets are so easy to crack.
Full security system alwaysinvolves a set of measures. Search for errors in the code, analysis of business processes, employee training - all these tools help minimize customer risks. Consider three interesting trends in crypto security: audits, the transition to cold storage of funds and insurance.
SOC2 Audits: Gemini Case
At the end of January 2019, the Gemini exchange passedsecurity audit SOC2 Type 1. Moreover, the role of auditor was a company from the «Big Four» — Deloitte & Touche. According to Gemini, the audit took 8 months and once again confirmed that the brainchild of the Winklevoss brothers is the safest crypto exchange in the world. But what is included in a SOC2 audit?
Auditing Standard Service Organization Control 2(SOC2) was developed in 2011 by the American Institute of Certified Public Accountants (AICPA). The purpose of the audit is to determine how securely the service provider processes user data. This includes protecting the database from unauthorized access, hosting quality, personal data processing policy, etc.
We emphasize that so far only Gemini has passed an audit of the 1st type (Type 1). Its price starts at $ 20,000, and in the traditional business it is widespread.
Higher Level Audit - SOC2 Type 2 -implies security control over a period, and not just at a specific date. The cost of this procedure is from $ 30,000. Gemini promised to pass this test before the end of 2019, but so far this has not happened.
Project security assessment: expert opinion
Although a SOC2 audit is very prestigious, it coversa limited number of business processes - namely the processing of customer data. In addition, it is not adapted to the specifics of blockchain technologies. In order to ensure the security of the crypto platform as a whole, highly specialized solutions are needed. This assessment of the security of blockchain services is offered by a large information security company, Kaspersky Lab.
It includes in-depth analysis of the web interface code and mobile application, verification of each line of the smart contract, penetration tests, risk analysis of account hijacking and phishing.
Some vulnerabilities may not be soit is obvious that only a detailed analysis can identify them. The case with the Coinomi wallet is significant: in February 2019, the user lost the equivalent of $ 70,000 due to the fact that when entering the password in Chrome, the browser checked the spelling of the password through the googleapis.com shared server. Thus, the password was stolen, although Coinomi does not confirm this.
Which type of verification is better to choose - SOC2 or code analysis? Explains the head of Blockchain Security «Kaspersky Lab» Pavel Pokrovsky:
“SOC2 includes an assessment of business processes andtechnical solutions for compliance with a clear standard, and here the requirements of the legislation of a particular country play a role. At the same time, SOC2 does not require the company to conduct a one-time or periodic analysis of application security or penetration testing. Thus, it is incorrect to raise the question of choosing between SOC2 or assessing application security. Security assessments or penetration testing can be both a good complement to the SOC2 audit and an independent tool for assessing the level of security. ”
One of the latest projects that successfullypassed the security assessment of Kaspersky Lab, the cryptoprocessing service Cryptoprocessing.com became the first in the world to pass an audit of this level.
Company products - payment gateway and personalblockchain wallet - include expanded support for fiat currencies. According to Maxim Krupyshev, the company's CEO, such a service is not a luxury, but a necessity for a b2b provider. In addition, banks working with processing require evidence that the service is safe.
Transition to cold storage
As you know, crypto wallets are divided into coldand hot. The difference between the two is that the hot wallet is installed on a device connected to the Internet, and the cold one does not. While the wallet is disconnected from the network, hackers can not hack it remotely.
Any cryptocurrency exchange or crypto processing shouldkeep a certain percentage of funds in hot wallets to ensure a normal withdrawal of funds. However, it is hot wallets that constitute the favorite target of attackers. That is how Cryptopia, Binance, Coinbene, Bithumb, BITPoint and UpBit suffered. In the case of the latter, the theft occurred at the time the cryptocurrency was transferred from a hot wallet to a cold one.
Therefore, crypto companies seek to minimizeshare of cryptocurrency in hot vaults. For example, Cryptoprocessing.com stores 100% of client funds in cold wallets, leaving only its own operational reserves in hot storage to ensure fast payments. It is important to keep a balance in order to avoid delays in mass withdrawal. This happened in July 2017 with Coinbase, when many customers began to withdraw bitcoins on the eve of the Bitcoin Cash fork and the funds on a hot wallet ran out.
Of course, cold wallets are also not without risks. So, in December 2019, the CEO of the IDAX exchange disappeared without a trace - and it turned out that only he had the key to the cold storage. Thus, IDAX users lost access to their money.
Client funds insurance
No audit can give a 100% guarantee thatthat funds will never be stolen. On the one hand, the rapid development of technology allows hackers to invent new tricks. On the other hand, no one has canceled the human factor: for example, the recent hacking of the Upbit exchange may have been organized by one of the employees.
In this context, large players begin to introducefunds insurance programs. Even in case of theft, the client will not suffer, because the insurer will compensate the damage. Of course, only large companies can afford such a luxury: the risks in the crypto business are high, and it is expensive to insure them.
Among those who already insure clients money,Coinbase leads. In April 2019, the company announced that funds in its hot wallets were insured for $ 255 million.Although only 2% of customers' money is stored in hot wallets, they are the most vulnerable to attacks. Insured events include hacker attacks, theft and loss of keys, including as a result of employee actions.
On his blog, Coinbase’s security director explains that since the amount of insurance is very large, the contract is concluded immediately with a large number of leading insurance companies through the famous broker Aon.
Some companies (e.g. BitGo) insurefunds on cold wallets. However, you need to understand that funds in a cold storage are at very high risk while the wallet is disconnected from the network. The risk arises when the cryptocurrency is transferred from a hot wallet to a cold one and vice versa, but insurance usually does not cover these situations.
In conclusion: how to be small companies
Few startups can afford an SOC2 audit or a funds insurance program. Are there safety measures that are both effective and inexpensive?
«There are open methodologies for providinginformation security - in particular, the secure development standard SDLC (Software Development Lifecycle). Based on these recommendations, small projects can choose tools that fit their budget, even free open-source solutions»,- notes Pavel Pokrovsky.
According to him, services for assessing the security of applications from well-known providers are very popular among small companies.
«The cost of such a safety assessment is quiteaffordable for startups, because the scope of research in small projects is much smaller than in the case of large companies. In addition, startups usually use modern tools and languages for developing and organizing infrastructure, which also simplifies the process of providing services»,- added the Kaspersky Lab expert.
Crypto security systems are evolvingsimultaneously in several directions, and solutions for any budget are already presented on the market. The point is small: projects must realize that information security is as important as marketing or attracting investments. As soon as the protection of funds becomes a priority for fintech startups, the crypto industry will finally be able to get rid of its dubious reputation and become a full-fledged segment of the global business.
Read this:
The company that laundered money from the BTC-e bitcoin exchange can be controlled by lawyer Timofei Musatov
Sergey Mayzus: money from the WEX bitcoin exchange may have been laundered through Neklis-Bank of Natalia Kaspersky
Proof of Keys 2020 Promotion: Not Your Keys, Not Your Bitcoins!
The regulator “suffocates” Fintech / How not to lose money? / Fintech trends / Finance news
API fraud. How can I steal money directly from your account?
The official who called Bitcoin “the devilish spawn” will be responsible for the trends of the cryptocurrency market in Europe