The cryptocurrency landscape has changed significantly since Bitcoin’s earliest days, but one thing that’s remained constant is exchange breaches. From the Mt Gox days to last month’s Zaif hack, exchanges have been regularly surrendering their funds, despite the increasing value of crypto assets incentivizing them to up their opsec. A detailed new report from ICOrating.com has revealed the extent of the lax security practices that pervade many exchanges, including several supposedly top-tier platforms.
The ICO listing and analysis site profiled 100 exchanges whose daily volume exceeds $1 million and found most of them wanting in one or more areas. For example:
- 41% of exchanges allow passwords with fewer than 8 symbols
- 37% of exchanges allow passwords with either digits or letters alone
- 5% of exchanges allow the creation of accounts without email verification
- 3% of exchanges lack 2FA
- Only 46% of exchanges meet all four parameters
- Just 4% of Exchanges Were Found to Have Best Practice for Domain Security
ICO Rating also considered registrar and domain security. Specifically, it looked for things such as a registry lock, preventing unauthorized changes to the domain registry, and DNSSEC, to prevent DNS cache poisoning, which has been an attack vector previously used to target platforms like Myetherwallet. Its findings were as follows:
- Only 2% of exchanges use registry lock
- Only 10% of exchanges use DNSSEC
- Only 4 % of exchanges use best practice in 4 out of 5 of these areas
Coinbase and Kraken Score the Highest – Okcoin the Lowest
ICO Rating concludes by publishing a table rating all 100 exchanges profiled according to their aggregated security score. No exchange manages to score 90% or higher but Coinbase comes the closest, at 89/100, followed by Kraken at 80 and then Bitmex and Gopax in joint third (78). Other notable entries on the list are Cobinhood (8th), Ethfinex (12th), Bittrex (13th) and Binance (17th).
Bottom of the list is Okcoin.cn, which scores just 15/100. Other noteworthy exchanges that score poorly are Mercatox (25/100), the hacked Zaif (29/100), and Bithumb (34/100). While previous attempts have been made at rating the security practices of cryptocurrency exchanges, ICO Rating’s report is the most detailed yet. It is not comprehensive, for it does not detail such matters as dynamic IP verification, withdrawal checks, and other security measures. Nevertheless, it provides a snapshot of the health of crypto exchanges and shows there’s room for improvement across the board.
Images courtesy of Shutterstock, and ICO Rating.