Dmytro Budorin is the co-founder and CEO of Hacken, a leading cybersecurity consulting company with an essential focus on blockchain security. Hacken offers a wide range of security services such as blockchain security consulting, web/mobile penetration testing, coordination of bug bounty programs, crypto exchange ratings, and education on cybersecurity. It was founded in August 2017 and is a part of the Hacken Group. Read and learn a real lesson about cybersecurity and vulnerabilities in Crypto smart contacts, Defi Protocols, and Exchange security levels.
Interview Date : 11th November 2020
One of the Most Tragic Hacks
Back in 2017, people were keeping their assets on a hardware wallet. There was one individual who faced a massive hack and lost around 60 million dollars’ worth of assets on his hardware wallet. The attacker knew that this guy was using that kind of wallet, and targeted his attack by delivering a fake software update for the wallet. The holder didn’t see that the message wasn’t from the official wallet administrators and when he opened the software it didn’t go to the official homepage for the update either. Still, he didn’t think much of it and clicked “yes” to the update. Seconds after, the fake uploader started to install the fake wallet and stole everything on the wallet. The poor guy lost 60 million in a few minutes by just installing the wrong software update. So, what I am trying to say is that you should never install anything that is not from licensed stores.
Is KYC User Security?
KYC is usually needed for other purposes than for user security. I don’t think KYC has to do with individual security. For example, if a hacker hacks my account and steals all my BTC from my account, the KYC will not protect or help me in regaining my BTC back. I still will lose my BTC, and no one will help me. So, it is mostly for exchanges to confirm people’s identities so they do not register fraud, a money launderer, or drug trafficker, and hackers into their exchange. It can help in finding criminals if the exchanges create a good relationship with the police, for example. However, we haven’t seen much of such cooperation yet. Many people in the space are saying that blockchain should be decentralized and that we don’t need KYC. They state they need freedom and do not want any restriction on it.
We Need an Equilibrium
We need to decide what we want: do we want mass adoption, or do we want this technology to be used by thousands of people with no structure? It is obvious to me that mass adoption will come only if this technology is safe to use. Thus, without all these measures and some regulation by authorities, it is not safe to use. I think governments like the Japanese government are doing a good job of being cautious, and they are putting very strict requirements for cryptocurrency exchanges. The Japanese government goes to the extent where they are reviewing the balances of each exchange. They confirm how much money is on the balance of an Exchange, and how much money was deposited by the customers. Those have to match, which is what the Japanese government is checking.
On the contrary, an exchange that is registered on some island that no government or authority cares about, no one knows what is behind the exchange, or who is even behind the exchange. These kinds of exchanges receive people’s deposits and spend them. So, when the users of those exchanges demand their money back, the exchanges do not have the money to give back to the users. We will see much more of such failures in the future if we don’t create an equilibrium between regulation and the crypto industry.
Exchanges are Not Banks
People don’t understand the risks with crypto, and why regulators and exchanges have to take strict and drastic measures. Many think that a crypto exchange is the same as a bank, so if you put money in it, they will certainly get their money back. Different from exchanges, banks are very regulated and have a lot of measures in place. However, if a cryptocurrency exchange collapses or is hacked, all the accounts will be closed with all the money gone. When that happens, you cannot go to the government and ask for help. The government will say “sorry, but it is unregulated”, and so they cannot take any action. Hence, governments must regulate to a certain degree for mass adoption. I am a very big fan of mass adoption, but every exchange that is not regulated will 95% of the time exit and scam people one day. It is just a matter of time.
Crowdsource security is an organized security approach where several ethical hackers are hired to search for and report vulnerabilities on an exchange, and this is called bug bounty programs. Such measures may be conducted by an exchange, and by professional platforms. Unfortunately, some exchanges don’t have any bug bounty programs at all, meaning the exchange doesn’t know about their security vulnerabilities. That is why we underline the importance of bug bounty programs to all the exchanges.
Visibility and Exposure
Historical cases are about whether the exchange has been hacked or not in the past. An exchange that has never been hacked before gets a score of 10. Anything below that means the exchange may have been attacked or hacked before. Every exchange is under constant attack every day, so one has to be careful. Despite that, a lot of exchanges are trying to get listed on CoinMarketCap or CoinGecko. Although CoinMarketCap and CoinGecko have pretty strict requirements, once an exchange is listed, an army of hackers will start to attack your exchange. With an insecure level of security, and for example no bug bounty programs, the hackers will just vanish all money from the exchange. Hackers are monitoring every new exchange on CoinMarketCap, CoinGecko, and similar sites. Once they are listed, the hackers try to hack them as the newer ones are an easier target.
Hacken Team Check
We register an account, deposit money and funds in it on all known exchanges. Through this process, we can go through the security check level of those exchanges, and later give them a report of the exchange security level. We look at how the exchange functions, and so behind our reports, there are a thousand hours of work.
We are also thinking about creating a ranking of mobile wallets for NFTs. NFTs are becoming very popular right now, so we want to register a research site to help people and navigate them towards wallets that are safe to use.
Server security is about how the exchanges are protecting the exchange central infrastructure. If an intruder finds vulnerabilities in certificate measures in the server system, all the server components will be compromised. This may lead to massive monetary damage. With our Server Security measures, we examine the server security of exchanges.
User security is interesting because when you are creating an exchange, you have to create a puzzle. In that puzzle, you can make it easy for people so they can create an account with only 4 to 5 clicks to join. Or you can make it hard by creating different layers of confirmations for security. With the latter, you will not be able to open an account with only 4 to 5 clicks. It will take longer to open an account and start trading. Some exchanges select the first option for easy onboarding. Unfortunately, sometimes they can be very greedy, and do not install the necessary measures to protect users from setting up wall security characteristics like strict password requirement, Captcha, or 2 Factor Authentication.
Captcha is important because it provides protection from brute force. Brute force is a technique where a hacker can try to log in with different passwords infinitely for the same email address. If an exchange does not set up a captcha, it makes them vulnerable to brute force hacking techniques. And yet, as you can see from the graph, around half of the exchanges have not set up Captcha.
Missing headers means the data you are inserting into the exchange is not properly encrypted. Thus, the data can be intercepted by an attacker when you do a transfer at any given time. Let us say, you are transferring data, and at that time an attacker is intercepting that transfer. The hacker can change your password, and you will not be able to log in to your account again after that.
We usually perform Smart Contract Audits and Defi Audits. During such investigations, we imitate an attacker’s behavior and try to detect vulnerabilities with the smart contract or DeFi project protocol. This involved us developers scrutinizing the code that is used to underwrite the terms of the smart contract or the protocol. We make a report out of the results, and this allows the company to identify any potential bugs or vulnerabilities before it is deployed.
What is Most Vulnerable in 2020?
I think Defi is the most vulnerable right now because there are a lot of PR and Marketing guys who have gotten into it. Many don’t know the technology and think they can copy and paste a code from a token swap, and just make some money, but it is not that easy. Therefore, users have to take a proper review of who is behind it before investing in a DeFi project. If it’s not clear, then it is not a good idea to invest in it, and it has become too easy to lose money in Defi.
Interviewer , Editor : Lina Kamada
The Article published on this our Homepage are only for the purpose of providing information. This is not intended as a solicitation for cryptocurrency trading. Also, this article is the author’s personal opinions, and this does not represent opinion for the Company BTCBOX co.,Ltd.