Dr. Vidy Potdar, a Ph.D. in Information Security with over 15 years of experience in technology development, recently completed an extensive analysis of cryptocurrency exchanges and their digital security. His study found that nearly every exchange has massive security flaws in both their password protocols and their HTTP security protocols.
Ausfinex, a next-generation Australian cryptocurrency exchange, recently released a study by Dr. Vidyasagar Potdar focusing on the security of the current cryptocurrency exchange landscape. With security deficiencies often cited as one of the most pressing concerns in the cryptocurrency industry, the new security study provides valuable insights into the current exchange market.
The study, conducted by Dr. Vidyasagar Potdar (also known as Dr. Blockchain), evaluates eleven popular current cryptocurrency exchanges, including several that are local to Australia, and primarily examines their password policies and HTTP security features. Dr. Potdar identified the many concurrent problems in the password policies of exchanges as the foremost security issue in exchange authentication mechanics. Using a six-dimensional password security rating metric, Dr. Potdar concluded that current password security implementations are far from ideal.
In the course of his study, Dr. Potdar found that none of the exchanges evaluated restricted the use of reserved words for passwords on their platforms. This means that commonly used phrases and password combinations (for example Password123 or admin123) are accepted as strong passwords. Second, several exchanges did not have a security measure in place that automatically flagged cases where numbers were used in serial order as part of the password, leading to trivial attempts at guessing passwords occasionally ending successfully.
The other component of cryptocurrency exchange security that Dr. Potdar analyzed is the employment of HTTP security headers. HTTP security headers provide an additional web security layer that is relatively simple to implement, that can mitigate a myriad of security vulnerabilities, and that should be standard practice for every cryptocurrency exchange. His findings demonstrate that the implementation of HTTP security headings is severely lacking. Out of the eleven total exchanges examined, none of them integrated an HTTP security header designed to prevent cross-site scripting attacks. Further, 54 percent of the exchanges did not employ the simple HTTP security header that tells the browser to communicate only over HTTPS, rather than the less secure HTTP protocol.
Dr. Potdar offers some insights into potential security solutions outside of technical implementations. His report refers explicitly to hacker bounty programs and rewarding experts through incentives.
Hacker bounty programs have become popular in the cryptocurrency realm as platforms aim to facilitate crowdsourced security reviews of their codebases. For instance, Binance -- the Malta-based cryptocurrency exchange -- recently launched a $10 million bounty program for hackers to report on potential bugs and critical threats to their exchange. The substantial program reward is designed to influence security experts to participate in the security review.
A similar mechanism for non-technical security solutions is to reward cybersecurity experts for finding critical bugs and reporting them to CERT to prevent future exploitation of related vulnerabilities in other platforms.
Dr. Potdar’s security study concluded with a strong emphasis on the need for cryptocurrency exchanges to provide the maximum security standards rather than the minimum security standards that most exchanges still aren’t meeting.
As an upcoming platform focused on becoming the preferred cryptocurrency exchange option in Australia, Ausfinex is keenly aware of the need for robust security measures and is planning to learn from the results of their study to create the safest cryptocurrency exchange possible.