In light of yesterday’s Binance hack, exchange security is back in the spotlight. Changpeng Zhao has reassured affected users they would be compensated for the loss of 7,000 bitcoins, and Binance has a reputation for excellence when it comes to security.
But as the latest hack has shown, even the best security may not be secure enough.
Not Your Keys, Not Your Bitcoin
The phrase “Not your keys, not your bitcoin” is a reminder to crypto hodlers to keep their funds offline, in cold wallets, and to employ sound security practices with respect to private keys. But the fact is that centralized exchanges remain crucial gateways between crypto and fiat, and offer important liquidity for crypto traders.
After the company’s security was breached, it became clearer than ever that even the best and most reputable exchanges are not 100% foolproof. There is a lot that the likes of Poloniex, Binance, and Kraken do right when it comes to security, but even that remains insufficient.
Can Multi-Factor Authentication Solve The Problem?
Most reputable exchanges require or recommend that users employ 2FA, whereby funds can only be withdrawn using something you know (email, password) and something you have (an authenticator account on a phone – or even a physical device – that generates a random number).
Multi-factor Authentication (MFA) calls for even further steps. 3FA, for example, requires you to add something you are to the things you have and know as an authentication factor. This factor requires additional authentication with a fingerprint, palm, retina, voice, or facial recognition.
Other factors may take into account location identification (somewhere you are) and gestures or actions (something you do) to allow you access.
But these come with their own problems. Location authentication measures are a nightmare to navigate for those who travel frequently. Geolocation technology could be useful here, restricting services if something geographically infeasible occurs. This would happen if, for example, you log into an account on one continent and do the same on another a few minutes later.
Why Aren’t Exchanges Better Equipped To Deal With Cyber Threats?
Some exchanges use additional security measures, such as multi-step procedures, withdrawal maximums, and enforced withdrawal delays. And it is certainly true that some hacks, such as the January 2018 theft of $500 million worth of NEM from Japan’s Coincheck, was due to poor security protocols. In Coincheck’s case, all the NEM it held were stored in a hot wallet.
After the Coincheck hack, a report by Dashlane found that more than 70 percent of all crypto exchanges had “unsafe password practices” and were vulnerable to attack. As Crypto Briefing has previously reported, the cryptocurrency and blockchain industry is still under-prepared for digital thefts.
Can Cryptocurrency Exchanges Be Insured?
Gemini proudly promotes the fact that user funds held in their hot wallets are insured against theft. Coinbase and Circle also have coverage in place, as does Australia’s Independent Reserve.
Yet insurance is not an industry-wide solution and creates a moral hazard. Knowing that their losses will be covered by the exchange may encourage users to behave carelessly, rather than deploying all the security tools at their disposal.
Are Decentralized Exchanges The Answer?
Overly zealous exchanges have been known to impose security measures on users without warning, effectively holding their funds to ransom. And on the outer fringes of the industry, the BitGrails of crypto keep rearing their heads, with lax security and appalling attitudes towards their users.
The promise of decentralized exchanges could be cause for optimism. Binance, ironically, stoked that fire by announcing the launch of its DEX, based on the BNB blockchain.
But for all they offer in terms of genuine peer-to-peer transactions, DEXs are incredibly difficult to keep liquid and may not emerge until after the demise of many of today’s altcoins. At that point, the crypto world is likely to need fewer exchanges, not more.
For all their flaws, the crypto industry is likely stuck with centralized exchanges, at least for the foreseeable future. Although markets like Binance and Gemini have done much to reassure frequent traders, for most of us, the best security is also the simplest: to store your own keys in an offline environment.