Cryptocurrency exchange

Overview

Cryptocurrency exchanges are a vital part of the ecosystem, as they allow users to buy and sell various coins and tokens for common currencies such as the US dollar. Exchanges also serve as an entry-level wallet without having to understand seed phrases and other self-custody security procedures. While exchanges are an important part of the decentralized ecosystem, most themselves are centralized, meaning they control your private keys on your behalf.  Exchanges come with their own security best-practices users should follow to keep their assets safe.

Password Management

Users should first focus on password hygiene when thinking of exchange security. There are 3 areas of focus for password security - password length/complexity, password reuse, and password storage.

The first rule to follow is do not reuse passwords, especially for cryptocurrency exchange accounts. The password for your account must be unique. This prevents password leaks from other services from compromising your exchange account. For example - let's say you reuse the same password for your exchange account and for an online shop. If the online shop's password database is compromised, attackers may try and use that password to gain access to your account. This type of attack is known as credential stuffing.

The second security practice is to favor length over complexity when generating your passphrases. Many think that adding additional characters to a short password makes it harder to crack - for example changing the password LeetSpeak to L33t$pe@k. However, this does not significantly increase the time it takes an attacker to guess your password! In fact, length is far more important than special characters. For example - ILikeToCreateLongerPassphrases is far more secure than L33t$spe@k. 

The most difficult passwords to crack are those generated from secure random sources. Even better than ILikeToCreateLongPassphrases is something like e9623WR108SpXSbfhSlj. This passphrase contains a high amount of entropy (randomness). If your password needs to be typed rather than copy/pasted or autofilled, diceware passphrases can be generated using wordlists and random sources like dice or a diceware password generation tool. For example: JeanRemanTonCockyTyburn. These are English words that have no correlation with each other, but are easy to type or even remember if necessary. A complex and hard-to-crack password does not necessarily have to be difficult. Combining 5 unrelated words that you can remember is a good first step towards creating a strong passphrase. 

A third challenge users face is storing and remembering all these long, randomly generated, unique passphrases. Many users have tens if not hundreds of online accounts. To prevent password reuse, or having to remember high-entropy passphrases, a password manager is an excellent security tool. Password managers store passphrases in an encrypted database - the user only has to remember one very long and secure master passphrase to access the manager. Most modern password managers make it easy to autofill passphrases into websites, or to copy/paste them as needed. Most will also generate high entropy passwords for you.

2 Factor Authentication

It's also critical that users apply strong 2 factor authentication (2FA) to their exchange accounts. This adds a second layer between an attacker and account access. A password is "something you know", while most 2FA tokens are "something you have." There are 3 common types of 2FA.

The first is email or SMS text-message based. In this case, after entering your passphrase, the website sends you a one-time code via email or text. You enter the code into the website to finish logging in. This type of 2FA is strongly discouraged - because it is the easiest for an attacker to steal from you. Many in the cryptocurrency space have lost accounts and assets via SIM swap attacks - where the attacker pretends to be you, calls the phone company, and ports your number to their phone. They can then use the 2 factor codes to take over the exchange account. 

A second more secure method is to use app-based 2FA via apps like Microsoft Authenticator, Google Authenticator, Duo, and many other examples. For app-based 2FA, you first set up authentication by installing an app on your phone and scanning a "seed" provided by your account. The app on your phone then generates one-time codes that change every 30 seconds or so. You enter these codes into the website to complete logging in, just as with SMS based. However, the codes are generated from a secure seed stored by the app instead of transmitted over text messages which is far more difficult to steal.

The third and most secure type of common 2FA is hardware security token-based. A popular example is the Yubikey brand of hardware devices. These are small USB sticks that can be linked to your account. When logging in, you simply make sure your token device is plugged into the PC you are using. Compromising this type of 2FA requires physically stealing a user's device which is an uncommon form of attack (compared to SIM-swapping).  

Email Security

Many users overlook email security when considering the security of their exchange accounts. Most often, access to email allows a legitimate user to "password reset" the account in case they forget their passphrase. If your email is insecure, an attacker could first gain access to your email and then use it to take over your crypto exchange account. You should ensure you follow the same best practices for email - strong, unique passphrases and app or hardware-based 2FA. It may also be helpful to use a separate email just for cryptocurrency-related accounts, following all of these security guidelines around securing that account. This may prevent someone from easily obtaining your email as a first step to account compromise.

You can learn more about cryptocurrency security by visiting https://cryptoconsortium.org/articles.

This article was written by our CryptoCurrency Essentials (CCE) Committee, with special thanks to committee member Josh McIntyre.

Disclaimer

The information presented in this article is for educational and informational purposes only. It does not constitute financial advice, investment recommendations, or any form of endorsement. 

The views and opinions expressed by individuals in this article are solely those of the speakers and do not necessarily represent those of C4 or any other organizations with which they are affiliated.

The mention or inclusion of any individuals, companies, or specific cryptocurrency projects in this video should not be considered as an endorsement or promotion.

Regulations and legal frameworks around cryptocurrencies may vary in different jurisdictions. It is your responsibility to comply with the applicable laws and regulations of your country or region. 

The CryptoCurrency Security Standard (CCSS) has been updated to version 9.0. See the updated CCSS here.

Systems certified under 8.1 are still valid.