ICORating, an agency that provides independent research which evaluates initial coin offering (ICO) projects, has detailed multiple potential security breaches of high volume cryptocurrency exchanges. The ICORating agency’s goal is to educate potential investors in ICOs due to the industry being currently at the development stage and is not yet fully regulated. They assign ICO projects different ratings such as risky or stable. The agency conducted research that while most cryptocurrency exchanges attempt to adhere to compliance regulation governing security, multiple loopholes have been found that hackers could exploit to gain access to client and company funds.
Since 2010, there have been numerous high profile hacks against crypto exchanges with the cumulative heists making away with $ 1.3 billion. These exploits have left both exchanges and clients devoid of their funds, leading to litigation against firms and some seeing bankruptcy or even a second strike by hackers.
ICORating compiled a report that assessed the potential security flaws of 100 exchanges whose daily trade value is more than $1 million. The report gathered data into four categories, console errors, user account security, registrar and domain security, and web protocols security.
For registrar and domain security of the reported cryptocurrency exchanges, only 2% used registry locks, 10% used DNSSEC, and 4% utilized best practice in 4 out of the 5 areas.
According to the report, web protocol services needed to be reviewed by a number of the exchanges.
The exchanges were graded on five factors:
1. Strict-Transport-Security header (an HTTP-Strict-Transport-Security (HSTS) header
forces browsers to browse the website in HTTPS).
2. X-XSS-Protection header (X-XSS-Protection defines how browsers should enforce
cross-site scripting protection).
3. Content Security Policy header (Content-Security-Policy (CSP) enables the definition
of permitted sources for each type of content, helping to defend against XSS attacks.
It also enables the ability to define several browser behaviors, such as sandbox
enforcement, to the value to be sent in the HTTP Referer header.)
4. X-frame-options header (an X-frame-options header specifies whether the website
should allow itself to be framed, and from which origin. Blocking framing helps
defend against attacks such as clickjacking.)
5. X-content-type-options header (x-content-type-options can direct browsers to
disable the ability to sniff page content type and only use content type defined in
the directive itself. This provides protection against XSS or drive-by-download
The assessment showed that only 10% of exchanges have all five headers, 29% of exchanges have none of the above mentioned headers, while only 17 exchanges have a Content Security Policy header.
Overall, ICOratings ranked BitMEX at third place, with Kraken coming in at second, and taking the top spot is Coinbase. While despite the measures any crypto exchange takes to safeguard the funds under their care, vigilance needs to be maintained as hackers and con artist are adapting as well.