Cryptocurrency is a fast-growing industry and has been attracting lots of attention lately. However, not all is rosy; cryptocurrency exchanges have experienced multiple hacks in the past, most of which resulted in the loss of large sums of funds. This is due to the fact that cybersecurity isn’t given the priority it deserves.
So we invited Dyma Budorin, the CEO of Hacken Group in our Virtual Meetup #4 on Wednesday, July 22 @ 10AM EST to discuss the state of cybersecurity in crypto.
Held monthly, CoinGecko’s Virtual Meetup is our live online community event where we explore different key topics in the crypto sphere and invite industry leaders to share their two satoshis.
In our discussion, we touched on the current state of cybersecurity in the cryptocurrency industry, the balance between good cybersecurity and convenience, types of security audit applied to decentralized exchanges, future of the Internet, and also the recent Twitter hack.
Here is a quick quick breakdown what Dyma shared:
1. How did Dyma get into the cryptocurrency industry and started Hacken?
Dyma started his career 14 years ago in the audit department of Deloitte. Having to always check for mistakes in companies, it was only natural for him to apply that knowledge to the cryptocurrency space, which is why he started Hacken. The background of the Hacken team is similar to that of Dyma’s, coming from the major accounting firms.
2. The current state of cybersecurity in the cryptocurrency industry
Cryptocurrency exchanges aren’t doing enough in terms of cybersecurity. That being said, many major ones have good policies where they’ve built lots of walls to prevent hacking.
“There are always hidden windows,” said Dyma.
From the viewpoint of Hacken, not many exchanges are hiring cybersecurity engineers, which comes as a surprise considering the amount of assets an exchange deals with.
3. Fine balance between good cybersecurity and convenience
Most crypto exchanges don’t have the balance between good cybersecurity and convenience. They completely remove the focus on user security and instead prioritize convenience. Certain security features such as requiring two-factor authentication (2FA) or limiting withdrawals are overlooked, as exchanges don’t want to lose clients.
However, Dyma believes this will change, and some security practices will become the industry standard. These benchmarks will then be converted into ISO standards and will be the main security of crypto exchanges. This will ensure the quality and safety of the crypto exchanges with such standards.
4. What’s the benchmark for crypto exchanges to achieve when applying for regulatory issue licenses?
From what Dyma has seen, regulators in Korea and Japan always review the financial health of the exchanges. An exchange with healthy financials would have a larger fund compared to the deposits of the clients. At the moment, 80% of exchanges aren’t fulfilling this measure. Regulators may also push crypto exchanges to reveal their assets and liabilities, and the repercussions may be very harsh when this goes into effect.
The second benchmark to achieve would be good private keys management. Only one exchange, Gemini, has done an industry-standard review of internal controls of their private keys. This review was performed by Deloitte. Information about the exchanges should be made public information such as the information on the management team, the procedure of cold wallet private keys management, and which executives have access to the funds.
Dyma went on to say that internal controls, financial audits, licensing, and cybersecurity will be the trend of the industry. Fiat gateways of exchanges who don’t hold proper licensing will be shut down.
5. What kind of security audit applies to decentralized exchanges?
“For decentralized exchanges, the token from a smart contract is integrated to allow for trading,” said Dyma. “There was a case involving the Balancer exchange, whereby one of the tokens was not erc-20 but was integrated as so, and this caused a bug which was exploited by an attacker. The attacker managed to double-spend a lot of funds with this bug.”
“Before this, Balancer went through three security audits but it didn’t cover whether the tokens were integrated properly,” explained Dyma. This shows that decentralized exchanges need to obtain a third-party opinion.”
6. Thoughts on the recent Twitter hack
In mid-July 2020, Twitter was breached by a hacker who managed to get access to all Twitter accounts via super admin rights, allowing them to tweet anything. During the hack, they sent a tweet asking for victims to send them BTC, pretending that in doing so, the sender would receive double the amount. Profiles of influential individuals such as Barack Obama, Bill Gates, Kim Kardashian and many others were accessed by the said hacker.
Dyma believes that it could have been a government experiment or an incident whereby someone found the credentials in an intentional or unintentional way. Either way, it is a very serious issue for the Twitter security team as super admin rights is a very big asset that needs to be properly protected.
“There should not be any available doors on the computer used to access the super admin rights—no other applications, social media accounts, absolutely nothing.” chimed Dyma. “The internal controls should be in place so that such an incident doesn’t happen. A third-party auditor who reviews these super admin rights specifically should be brought in.”
7. What do you think of the future of the Internet? Will it be a safe place?
Looking at the history of the cybersecurity space, it has come a long way. It has evolved and improved a lot. But hackers are people who would always try to bypass something. The bigger the walls, the higher the temptation for hackers. They will always find a way to get behind it or jump over the wall.
“I think what is more important is education,” suggested Dyma. “Cybersecurity has to be a must in schools or at least an online training that you must pass.”
Hacken is currently working on providing education courses on cybersecurity and believes that awareness is really important. Interestingly, the founder of Hacken shared that he was once hacked, and also broke his finger. But he would rather break his finger again than get hacked.
8. Insights on the strange web-flow results from faucet sites to crypto exchanges
Web traffic is indicative of a crypto exchange’s ability to attract audiences. The understanding is that the more traffic a website has, the more popular it is and the larger its userbase. It is one of the metrics measured by CoinGecko’s Trust Score Exchange Ranking algorithm.
Crypto exchanges also use web traffic to attract new tokens for listing. As higher traffic indicates more potential users, the exchange can attract higher listing fees.
As such, crypto exchanges are incentivized to have a large amount of web traffic. There are services out there which help boost this figure.
“This means it is harder to get fair data,” said Dyma.
This issue doesn’t just apply to crypto; it’s a global problem.
For example, there are thousands of Instagram stores, so which one does a customer go to? The one with the most followers? How do we verify whether these followers are real or not? How do we obtain information such as their location and demographic?
To combat this global problem, Dyma suggested that, “the traffic we track should be a combination of SimilarWeb data, social media, and mentions in search engines. It is important since it can be tracked.”
Join us for our next meetup!
Sign up to our daily newsletter and we’ll keep you posted about our next meetup. You’ll also get to stay updated on the latest news and happenings in the crypto world.
Shaun is a Research Associate at CoinGecko with a fondness for memes and farming on the blockchain. Follow the author on Twitter @ShaunPaulLee