Will Trading Crypto Get You Hacked?
Now a booming trading market, cryptocurrencies do however create an avenue of risk. Below Schalk Nolte, CEO at Entersekt, discusses said risk and the overall safety of trading Bitcoin and the likes. It’s official: Bitcoin is now the golden child of the investment community. Following news headlines about becoming instant millionaires, starry-eyed cryptocurrency enthusiasts are […]
Now a booming trading market, cryptocurrencies do however create an avenue of risk. Below Schalk Nolte, CEO at Entersekt, discusses said risk and the overall safety of trading Bitcoin and the likes.
It’s official: Bitcoin is now the golden child of the investment community. Following news headlines about becoming instant millionaires, starry-eyed cryptocurrency enthusiasts are flocking to online exchanges to get in on the action. Sign up, transfer funds and trade – the faster, the better. To keep the eager traders’ money and data safe, these exchanges all need to have transaction security in place. And most of them do – except that their security appears to be stuck in the early 2000s.
Nine years ago, Bitcoin didn’t exist. Today, between three and six million people are estimated to have a bitcoin wallet, with over $3 billion worth of the currency traded every 24 hours. Nine years ago, the one-time password, SMS OTP or mobile transaction authentication number (mTAN), represented the apex of transaction security. Today, other technologies have left SMS OTPs in the dust in terms of both user experience and security – and for good reason.
OTPs are typically reliant on mobile network operators for delivery, and they require additional effort from the user without rendering transactions fraud-proof as a reward. They are vulnerable to man-in-the-middle (MITM) attacks for the simple reason that an OTP is never truly out of band, whether it’s delivered via SMS or another route. Because it’s entered into a potentially compromised primary channel, it will always be susceptible to MITM attacks, while the involvement of mobile networks also introduces the possibility of attacks such as SIM swapping and number porting.
In fact, in August 2017, Sean Everett, CEO of artificial intelligence startup PROME, lost a significant cryptocurrency investment with the platform Coinbase as a result of a simple number porting attack made possible by SMS OTP. Soups Ranjan, Coinbase’s head of data science, commented: “I firmly believe we have the hardest payment fraud and user security problem in the world right now.” So how is it possible that the OTP is still the security measure of choice at the majority of cryptocurrency exchanges – and, more importantly, what are the alternatives?
In order to protect its trader members and allow them to match the pace at which cryptocurrency fluctuates, a cryptocurrency exchange needs to do three things:
Minimize risk: This is done by implementing a solution that offers solid app security and strong customer authentication for all transactions.
Make things easy: A convenient and user-friendly trading platform will attract and retain customers. To put it another way, play to a real-world trading scenario: if you were a trader, would you want to open an app, copy an OTP, switch apps, and then paste it? Or would you prefer to simply open an app and scan your fingerprint? The choice isn’t difficult – especially considering that the easier option is also the safer one.
Achieve regulatory compliance: It’s cheap and easy for a trading platform to recommend or require that their traders install a third-party app like Google Authenticator, but this will mess with regulatory compliance – such as with PSD2’s Regulatory Technical Standards on Strong Customer Authentication. Third-party apps often only authenticate logins, not transactions, and as such are not compliant with these requirements. OTPs, needless to say, do not comply either.
If they want to offer winning and secure trading options for cryptocurrency aficionados, it makes no sense for these exchanges to insist on using obsolete, not to mention risky, technology. Instead, exchanges should be employing a more robust and convenient out-of-band authentication solution that does not rely on mobile networks. They should look for a solution that offers PKI-based authentication and transaction signing directly from the mobile phone, which will eliminate fraudulent transactions and build trust in cryptocurrency trading practices – all while providing a user-friendly experience.
On the flip side, cryptocurrency traders should be demanding better security from the platforms they use. It is the only way for them to keep their investments safe and avoid becoming the next cybercrime news headline. After all, if cryptocurrency is at the cutting edge of innovation, shouldn’t the same apply to the protection of its trade?