"The Crypto Industry Does Not Meet the Minimal Security Standard"

by Finance Magnates Staff
  • Finance Magnates met with the cyber security expert Bojan Simic to talk about threats and protection.
"The Crypto Industry Does Not Meet the Minimal Security Standard"
Reuters
Join our Crypto Telegram channel

The cryptocurrency market is gaining traction in the financial industry as the price of Bitcoin goes through the roof and attracts more and more public interest. Now even the institutional players have hopped on the bandwagon.

But there’s one facet of this industry that seems pushed to the sidelines – Blockchain cyber security. We all like to bury our heads in the sand and say if it ain’t broke don’t fix it. But the security problems of this cutting-edge technology remind us of their existence on an almost daily basis, with DDOS attacks, hacks, and cryptocurrency thefts sometimes reaching into the millions of dollars.

These dangerous occurrences not only affect the pockets of customers and the reputations of firms - they undermine the stability of the entire crypto market.

Therefore, we approached two leading cyber security specialists who have special expertise in the Blockchain industry. They provided us with the answers to all the questions that you didn’t know how to ask.

In the first of two interviews, Finance Magnates sat down with Bojan Simic, founder of the Bitcoin Security Project and CTO of HYPR – a leader in the growing decentralized biometric authentication sector.

Do you think that the cryptocurrency industry in general meets basic security standards?

Bojan Simic

No, the industry as a whole does not meet minimal security standards. Protocols such as Bitcoin certainly does. However, very few businesses in the cryptocurrency arena follow security best practices, as we've seen.

Crypto platforms (exchanges, wallets, mining farms, etc.) seem to be attacked more than fiat money institutions. Why do you think this is?

The affected platforms are mostly startups that do not invest the proper amount of time and other resources into security best practices. They do not have formal application security verification standards and do not exercise regular penetration tests on their systems. Banks have been doing this for much longer and have entire divisions dedicated to these types of tasks.

What weak links do you identify at blockchain-based platforms?

The weakest link is those that practice centralized storage or custodianship of individuals' wallets. The centralization of credentials or cryptocurrency keys are one of the biggest mistakes wallets and exchanges make.

When conceptualizing an authentication system, cryptocurrency service providers should take inspiration from blockchain-based platforms. They should decentralize credentials and keys so that sensitive information used for account access remains safe in the hands of those to whom it belongs: its owners. FIDO Alliance and other such standards provide a roadmap for decentralized authentication that is already being deployed across the legacy financial system. It also provides a frictionless user experience that addresses the poor usability issues that cryptocurrency suffers from when extra layers of security like two-factor authentication are added.

What security measures should large crypto exchanges undertake to prevent hacks / attacks? Are they doing this?

Generally speaking, they are not. Crypto exchanges and other service providers can undertake best practices such as securely storing private keys, implementing a sufficiently secure authentication mechanism, and adopting basic web application security controls. They should also ensure they have robust Denial of Service (DOS) prevention systems in place, encrypt data at rest such as PII and transaction history, and data in motion meaning SSL/TLS encryption both between the client and server.

Other measures common to the legacy financial system that cryptocurrency exchanges and other service providers should adopt are vigorous security training of all employees, and regularly performing basic security audits of their software and hardware infrastructure.

The cryptocurrency market is gaining traction in the financial industry as the price of Bitcoin goes through the roof and attracts more and more public interest. Now even the institutional players have hopped on the bandwagon.

But there’s one facet of this industry that seems pushed to the sidelines – Blockchain cyber security. We all like to bury our heads in the sand and say if it ain’t broke don’t fix it. But the security problems of this cutting-edge technology remind us of their existence on an almost daily basis, with DDOS attacks, hacks, and cryptocurrency thefts sometimes reaching into the millions of dollars.

These dangerous occurrences not only affect the pockets of customers and the reputations of firms - they undermine the stability of the entire crypto market.

Therefore, we approached two leading cyber security specialists who have special expertise in the Blockchain industry. They provided us with the answers to all the questions that you didn’t know how to ask.

In the first of two interviews, Finance Magnates sat down with Bojan Simic, founder of the Bitcoin Security Project and CTO of HYPR – a leader in the growing decentralized biometric authentication sector.

Do you think that the cryptocurrency industry in general meets basic security standards?

Bojan Simic

No, the industry as a whole does not meet minimal security standards. Protocols such as Bitcoin certainly does. However, very few businesses in the cryptocurrency arena follow security best practices, as we've seen.

Crypto platforms (exchanges, wallets, mining farms, etc.) seem to be attacked more than fiat money institutions. Why do you think this is?

The affected platforms are mostly startups that do not invest the proper amount of time and other resources into security best practices. They do not have formal application security verification standards and do not exercise regular penetration tests on their systems. Banks have been doing this for much longer and have entire divisions dedicated to these types of tasks.

What weak links do you identify at blockchain-based platforms?

The weakest link is those that practice centralized storage or custodianship of individuals' wallets. The centralization of credentials or cryptocurrency keys are one of the biggest mistakes wallets and exchanges make.

When conceptualizing an authentication system, cryptocurrency service providers should take inspiration from blockchain-based platforms. They should decentralize credentials and keys so that sensitive information used for account access remains safe in the hands of those to whom it belongs: its owners. FIDO Alliance and other such standards provide a roadmap for decentralized authentication that is already being deployed across the legacy financial system. It also provides a frictionless user experience that addresses the poor usability issues that cryptocurrency suffers from when extra layers of security like two-factor authentication are added.

What security measures should large crypto exchanges undertake to prevent hacks / attacks? Are they doing this?

Generally speaking, they are not. Crypto exchanges and other service providers can undertake best practices such as securely storing private keys, implementing a sufficiently secure authentication mechanism, and adopting basic web application security controls. They should also ensure they have robust Denial of Service (DOS) prevention systems in place, encrypt data at rest such as PII and transaction history, and data in motion meaning SSL/TLS encryption both between the client and server.

Other measures common to the legacy financial system that cryptocurrency exchanges and other service providers should adopt are vigorous security training of all employees, and regularly performing basic security audits of their software and hardware infrastructure.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}