With digital currencies booming in popularity over the past year or so, the security of the digital exchanges that convert users’ fiat money into cryptocurrencies like Bitcoin is coming into clearer focus—and the picture isn’t consistently pretty, according to a survey released this week.
Some popular exchanges allow users to create accounts with passwords as simple as “1234” or “password,” according to the survey, which was conducted earlier this month by Dashlane Inc., a New York City-based company that markets password-management software.
Of some 35 exchanges tested on five security criteria, only 10 imposed all five, the research found. The criteria are: a password of eight or more characters; a password including both letters and numbers; an onscreen indicator of the password’s strength; a confirmation email that omits stating the password in plain text; and any type of two-factor authentication.
Ten more exchanges scored a four out of five, while the remaining 15 required three or fewer. In an instance that shocked the researchers, they were able to create passwords that consisted of just a single character, such as the letter “a” or the numeral “1.” In other cases, they found their password was stated in plain text in confirmation notices, leaving their accounts vulnerable if hackers compromised their email.The selected companies represented some of the largest by volume of activity, according to Ryan Merchant, a senior manager at Dashlane, which intends to repeat the survey annually.
“You can have all the best security in the world, but if you’re protecting [assets] with ‘1234’ that’s all for naught,” Merchant tells Digital Transactions News.
Cryptocurrency exchanges have seen a rise in activity in recent months as many currencies have enjoyed a runup in value. But even periodic crashes can spur action as users rush to cash out of their positions. The widening popularity of cryptocurrency trading has only intensified security concerns, experts say.
“Crypto has blown up over the last six to 12 months. It’s a gold rush to get in,” says Merchant, who pushed for the survey after he created an account and then received a confirming email from the exchange stating his newly created password in plain text.
A number of exchanges have been victimized by online intruders in recent years. In one of the most recent cases, a South Korean exchange called Bithumb sustained a breach last July in which a hacker was able to siphon the names, email addresses, and phone numbers of 31,000 users out of an employee’s personal computer.
Dashlane’s survey did not surprise expert observers. At least one, indeed, said concerns go well beyond password security. “The password issue is only a tip of the iceberg,” says Gabriel Wang, capital markets and fintech analyst at Aite Group, a Boston-based research firm, in an email message. These concerns, he adds, include whether exchanges segregate crypto and fiat assets, report activity with regular statements to users, and offer secure wallets where users can store their crypto holdings off-site. He predicts a shakeout among smaller exchanges that he says lack the funding to install proper security measures.
Other observers agree, and argue that government regulation will ultimately have to be imposed. Dashlane’s survey “is … a good reminder that the security of these exchanges [is] far from equivalent to what consumers enjoy elsewhere,” says Al Pascual, research director and head of fraud and security at Javelin Strategy & Research, Pleasanton, Calif., in an email. “Once [regulators] get their arms around the activity on these exchanges and can identify the true potential for harm to investors from poor security, [they] will push for much more security than is commonplace today.”