Although the past year has been turbulent and unpredictable for Bitcoin and other cryptocurrencies – with more than $500 billion wiped off the total value of all cryptocurrencies – there has been a revival of sorts, and it remains at the forefront of the investment community. Today, more than 7 million people are estimated to have a Bitcoin wallet, with over $3 billion of the currency traded every 24 hours.
Just over ten years ago, Bitcoin didn’t exist. But, following news headlines about becoming instant millionaires, starry-eyed people flocked to cryptocurrency exchanges to get in on the action. Sign up, transfer funds and trade – the faster, the better. To keep the eager traders’ money and data safe, these exchanges needed to have robust transaction security in place. And most of them did. Except that now, their security solutions are still stuck in the early 2000s.
Ten years ago, the one-time password, SMS OTP or mobile transaction authentication number (mTAN), represented the pinnacle of transaction security. OTPs generally rely on mobile operators for delivery, and require additional input from the user, but cannot promise fraud-proof transactions as a reward. They will always be vulnerable to man-in-the-middle attacks, simply because an OTP is never truly out-of-band, regardless of whether it’s delivered via SMS or another route.
It is not the cryptocurrencies themselves that are inherently unsafe, but rather the security measures employed by the exchanges that are the weak link. Just ask Sean Everett, CEO of artificial intelligence start-up PROME, who lost a significant cryptocurrency investment in August 2017 with the platform Coinbase as a result of a simple number porting attack made possible by SMS OTP. Soups Ranjan, Coinbase’s head of data science, commented: “I firmly believe we have the hardest payment fraud and user security problem in the world right now.”
Today, we know that out-of-band push authentication leaves SMS OTP in the dust in terms of security and user experience. So then, why is the OTP still the security measure of choice at most cryptocurrency exchanges? The exchanges need to do better if they are going to protect the data and assets of their users and allow them to trade at a speed that matches the pace at which cryptocurrencies fluctuate. There are three main things that a cryptocurrency exchange can do to ensure this:
- Minimize risk: Implementing a solution that offers solid app security and strong customer authentication for all transactions will go a long way to reducing users’ exposure to risk.
- Make things easy: A convenient and user-friendly trading platform will attract and retain users. Think of it this way: if you were a trader, would you want to open an app, copy an OTP, switch apps, and then paste it into the new app? Or, would you prefer to simply open an app and scan your fingerprint? The choice isn’t difficult – especially because the easier option is also the safer one.
- Achieve regulatory compliance: It’s cheap and easy for a trading platform to recommend or require that their traders install a third-party app like Google Authenticator, but this generally doesn’t align with regulatory compliance such as PSD2’s Regulatory Technical Standards on Strong Customer Authentication. Third-party apps often only authenticate logins, not transactions, and so do not comply with these requirements. Whether or not OTPs comply continues to be debated.
If a cryptocurrency exchange wants to offer its users a secure trading option, it makes no sense for it to still be using obsolete and risky technology. Instead, exchanges should be looking for more complete, convenient, out-of-band authentication solutions that are centred on the mobile phone itself, not the network. Solutions that offer mobile PKI-based authentication and transaction signing out-of-the-box eliminate fraudulent transactions and build trust in the cryptocurrency trading practice. Traders also need to exercise their right to demand better security from the platforms they use – it’s the only way their investments will stay safe.
Cryptocurrencies lie at the cutting-edge of innovation. To realize their potential, shouldn’t the same apply to the technology that backs up the exchanges?
Written by Schalk Nolte, CEO, Entersekt
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/