Then the criminals who attack the crypto exchange, what is their arsenal of means and what to do in order not to become a victim.
The cracking of the Japanese crypto exchange Coicheck that crashed in late January 2018 deprived not only users of tokens in an amount equivalent to more than $ 500 million but also shook the confidence of the crypto community in the degree of cyber defense of such exchange centers.
As a result, on March 5, the Japanese united against an external enemy – the organization, which will include 16 licensed exchanges, will not only engage in self-regulation but also resist the attacks of hackers. The growing popularity of everything that has a prefix “blockchain” and smelling of fast money inevitably attracts scammers to this sphere. While crypto-instruments, developers, and holders of electronic wallets neglect security, the number of reports about “robberies of the century” and multimillion theft from crypto exchange sites is growing.
According to the report of Group-IB, one of the leaders in the market for cybersecurity, block-projects remain a tasty morsel for those who are engaged in various kinds of attacks and theft. On average, one ICO project is attacked at least 100 times. International crypto exchange sites, where the turnover of funds is several times higher, become targets of intruders at least as often. Only numbers and losses are, as a rule, much more impressive.
The South Korean crypto exchange Youbit exposed to hacking hacks in April and December 2017. The first hack led to the loss of about 4,000 bitcoins, the second deprived the exchange of 17% of all assets and led to the closure. NiceHash, a platform for the purchase, sale, and lease of mining equipment, was hacked in early December 2017, the total amount of damage – $ 80 million.
Popular Japanese crypto exchange Coincheck in late January 2018 visited by intruders who managed to transfer to their electronic wallets 523 million cryptocurrency tokens NEM, which cost at that time, about $ 534 million
Moreover, there were also cases with exchanges Bithumb, Mt. Gox – a list can continue.
“The number of attacks on the crypto exchanges had increased dramatically just at the moment when the digital currencies themselves began to grow in value. In December 2017, the cost of Bitcoin reached $ 20,000, which could not help attracting the attention of cybercriminals, – said General Director of the company SEC Consult Services George Lagoda. “At the same time, the level of protection of these sites against cyber attacks was not high enough to prevent millions of losses.”
Be caught, the stock exchange, large and small
What is the vulnerability of the blockade in the cyber attack? First, developers incorrectly often believe that the words “crypto” and “blockchain” mean safety by default. “Due attention is paid neither to the quality of the code nor the network architecture,” observes Georgi Lagoda, “and they may be vulnerable. Separate attention should pay to the safety of smart contracts. Moreover, here they often rely on the security of the blockchain structure, neglecting the unsafe use of pseudorandom number generators, using data from the main Bitcoin network or similar currencies as a source of randomness. ”
In February, experts estimated that of the million Ethereum smart contracts, the vulnerabilities are more than 34,000. Researchers from the University College of London have tested their assumptions on 3000 smart contracts for the Ethereum blockchain. 89% of them were carriers of specific bugs, which would theoretically allow the theft of $ 6 million.
The most popular attacks to date are attacks such as DDoS and phishing.
In general, the abbreviation DDoS (Distributed Denial of Service) has long adorned news bulletins and arouses the thrill of users. With this attack, hackers send to the server artificially created traffic that has several sources to create an unbearable load for the server, and “put it.” In this case, exchanges also lose money, because, in the absence of access, unusually long, users of the exchange can not use its functions, and the capital does not move. Bitfinex Exchange in December 2017 underwent a powerful attack of this kind.
Phishing (phishing) – fraud, based on the principles of social engineering. First, an almost exact copy of the site is created, for example, chosen by the attackers of the exchange. Then, with the help of spam technologies, a letter is sent out, designed in such a way as to be as similar to this letter from the exchange.
Almost precisely the same logos are repeated, the names and surnames of real leaders. It is reported that because of the change of software or – that is the irony! – Because of the attack of hackers, the user needs to confirm or change his credentials. In all cases, the purpose of such letters is one – to force the user to click on the above link, and then enter their confidential data on a malicious site. Users of the Binance crypto exchange a few weeks ago were the victims of such tricksters, and it was almost impossible to distinguish this site from fake to the naked eye.
Therefore, the red line of any lists of recommendations from experts is always a spell: do not store significant funds on exchanges and use these sites only for transactions. “Attacks on the ICO – those occur all the time,” says Yevgeny Yurtaev, director of the financial company Zerion, a software manufacturer. – One of the most common examples is spoofing, when attackers gain access to a DNS site and redirect it to a non-existent domain. Such an attack was affected, for example, by Enigma, when on the fake site the address where it was necessary to broadcast was exposed and more than $ 500,000 stolen. The general recommendation is not to store large amounts of money on centralized exchanges and, if possible, use decentralized alternatives that gain liquidity “.
Shield, sword, and registration
What to do? There is a way to approach the size of risks to zero: conducting internal and external audits of information security, continuous monitoring of user activity and use of recommended solutions by experts. There is, for example, more often than others the international standard CobiT (Control Objectives for Information and related Technology) used by auditors.
One of the basics of blocking is the use of a smart contract. The comprehensive audit should also be carried out without fail. The difference from the “usual” protection of information in the criticality of the system and the amount of money that continually revolves around the project, as well as in its logic of the system.
To protect its users, the exchange needs to defend itself first
The most common solution is the use of two-factor authentication (2FA) and “cold” servers.
Some exchanges go further and ask users to provide copies of documents. For example, Bittrex requires verification of the account with the indication of personal data for the output of digital currency with a total volume of up to 3 bitcoins per day. With the production of up to 100 bitcoins per day – with the provision of a copy of the identity card. Also, the bulk of all digital assets of the exchange are stored offline on “cold,” that is, physically not connected to any computer, media, and displayed online only when transactions made.
Also, there are procedures AML (Anti Money Laundering – anti-money laundering) and KUS (Know Your Client – know your customer), which the exchange is declared binding.
The key to the apartment, where the money is
They say that there are three kinds of lies: lies for a right, notorious lies, and statistics. So, statistics say that on 1000 lines of source code there is an average of 1 error. Moreover, there is no certainty that this particular bug not associated with security.
According to cybersecurity experts, even if the developers of the exchange write the perfect code, there is always a risk that there will be vulnerabilities in third-party projects that they have to use.
“Since any exchange, and not just a cryptocurrency attacks based on social engineering play a separate role in the general spectrum of attacks. Moreover, also, surprisingly, random events caused by normal human stupidity and inattention.”
Ordinary users are often big fans of weak passwords, lost “cold” wallets, the use of “hot” wallets and public Wi-Fi to access a large amount of money, switching to suspicious links”
Georgy Lagoda describes common mistakes.
In the end, the user or site, who stole money in one way or another, are forced to rely only on the honesty of hackers, because unlike the traditional financial environment, the algorithms for recovering lost funds in the cryptosphere have not been worked out. If hackers hack into your bank account and take away a significant amount of money from it, the bank can track and cancel illegal transactions by making up for the damage. Compensation of the stolen cryptocurrency is problematic or merely impossible for technological reasons and due to the anonymity of transactions. The more curious is the story of an unknown Robin Hood of hacking origin who, for an unknown reason, returned $ 26 million in Ethereum tokens to the bosom of the CoinDash exchange he had robbed last year. Count on such altruism in most cases is not necessary. Therefore it is worth remembering:
– First, and the hype has a price;
– Secondly, security, as always, is above all.