Ready to ask the right questions to determine how secure the centralized exchange you trade with is?

The total trading volume of centralized cryptocurrency exchanges (CeXs) in 2021 is 14 TRILLION DOLLARS!*¹ You heard it right, it is exactly makes 4.68 times of Apple.*² The total trading volume of decentralized cryptocurrency exchanges (DeXs) was unfortunately limited to 1 trillion dollars.*³ This shows us that the rate of users preferring centralized exchanges is about 93%.

As a Security Specialist, when I look at these statistics, I can't help thinking of this question: "How do we make users who want to use a centralized exchange more conscious about their security?" This article was written precisely for this purpose. However, before going into the details, let me tell you a story from the Witcher series, which I am a fan of.

Disguised as Mousesack*⁴, doppler Adonis*⁵ comes to pick up Princess Ciri*⁶ from the forest of Brokilon*⁷. When Princess Ciri sees Mousesack in front of her, she blindly believes him. She decides to leave the forest with him and Dara, with whom she has come all the way to Brokilon. Just before leaving, she takes advice from the Dryad Queen*⁷:

"The burden of power can be painful. Be careful. Always ask the right questions."

Mousesack took Princess Ciri and Dara, who got suspicious about identity of him, from Brokilon to go back to the castle. While on the way, Princess Ciri did ask Mousesack the questions that only he would know the answers. Then the fake Mousesack gives one wrong answer after another, and now his cover is blown.

It turns out that Mousesack, for whom Princess Ciri would hit the road without hesitating, is a copycat and has come to lure Ciri into a giant trap.

We can obtain several external clues as to whether a CeX is safe or not. And there are precautions/mitigations or vulnerabilities that only the security people inside will know or those who are well-versed in technical matters can notice. My purpose here will be to see what I can understand about security by looking at a centralized cryptocurrency exchange. This article examines CeXs with a concept known as the "CIA Triangle" in the security literature.

CIA Triangle (Confidentiality, Integrity, and Availability)

• Confidentiality refers to protecting the privacy of your personal data (PII), which should remain confidential in an exchange.
• Integrity means keeping the data, which is stored in the database of the CeX, away from manipulation and protecting it against deletion, tampering, and modification.
• Availability means that you have the capability to access the CeX anytime you want. 😅

A problem on any side of this triangle threatens the overall security. In other words, in order for a CeX to be secure, all these three elements must work smoothly.

Let's see five items regarding what we should prioritize when choosing a secure centralized exchange.

1. Transparency Regarding Security Incidents

All systems can be hacked if you have enough money and time. So, it is not possible to find a centralized exchange that will not have security problems. Therefore, security professionals make hacking a system harder and more costly. In this way, the probability of encountering security vulnerabilities is reduced, but the possibility is never going to be zero.

One of the first things to assess in a CeX is the security incidents that have occurred in the last three years. If there is a weakness, has detailed information been given about it? Of course, there may not have been any significant incidents in the last three years, but it is not very likely. Therefore, if the exchange you prefer has not reported any weaknesses or incidents since its establishment, I recommend that you inquire about that exchange for transparency.

Note: It is unnecessary to provide all the details about the security events, just enough points to be needed by the end-user.

2. Managing the Bug Bounty Program

Even if you hire the best professionals in the cyber security industry and even receive audits from the best companies, it will not be enough for the security of a CeX. There will always be a blind spot. For that, centralized cryptocurrency exchanges often prefer to reward hackers who find vulnerabilities in their systems by running bug bounty programs. If the CeX you prefer to use does not have a bug bounty program, you can add it to the "cons" list.

Bug bounty programs may differ. The worst type of bounty management, in my opinion, is when a company does it on its own because the number of qualified hackers is deficient. The best bug bounty programs in the cryptocurrency industry are usually conducted through the platforms I have listed below.

• Immunefi
• HackenProof
• hackerone
• bugcrowd

You can save one more spot in the cons list for exchanges that do not run any bug bounty programs.

3. Security Audits conducted by Independent Auditors

The people or teams that design the system should outsource support to test the system's security that they have designed. For this reason, security test teams and security architecture teams are generally positioned differently from each other. However, having the same people or teams conduct a penetration test will cause blind spotting after a while. You can have an idea of how much a crypto exchange gives importance to "security" by checking the number and quality of security audits or penetration tests that it has had the independent auditors conduct within one year.

If the exchange is regularly audited and tested by independent security companies that are experts in their fields, add it to your “pros” list. A CeX that we consider secure is the one that regularly undergoes security audits and makes a summary accessible to end-users, although it does not provide the whole content.

4. Following "Security Best Practices"

We can define the Security Best Practices as a set of disciplines that have been put together through long years of experience (gained through blood, sweat, and tears). 😪

Here, one may lose the grip because there are so many Security Best Practices that can be applied. So, I'll explain them by dividing them into two.

A. Security Best Practices for End-Users

• Secure password creation policy,
• Support for two-factor authentication (TOTP or U2F)
• Precautions against phishing attacks (Mail phishing code etc.),
• Precautions in fiat money or crypto money deposit/withdrawal transactions,
• Presenting the account activity to the user and revoking suspicious login sessions,
• Adding the addresses to withdraw cryptocurrencies in certain steps,
• Add your new devices while logging into your account in certain steps.

This list goes on and on. 🤭 Although its prolongation seems to be good, the balance is everything. However, while a centralized exchange should not compromise security, it should not undermine the user experience, either. Complex systems can cause more significant problems, leading to poor user experience.

I actually have a catchy saying about it:

The Security has a balance. It should be neither less nor more.

B. Security Best Practices for Technical Areas

It is tough to know or to determine whether the methodologies I will talk about are applied or not. That's because, to make a decision, you must either be an insider or someone who knows these methodologies professionally. However, some centralized cryptocurrency exchanges are transparent about this and can share what they are doing. If you can find information about one that follows and implements one or more of the following Security Best Practices, put it in the “pros” list along with a big old heart. 💙

• CWE/SANS TOP 25
• OWASP TOP 10
• OWASP MASVS*⁸
• OWASP Desktop Top 10
• CIS Controls
• CIS Benchmarks
• NIST Cybersecurity Framework

There are many standards (ISO, etc.) that can be added to the methodologies we have listed. However, this list will be sufficient to identify the general framework.

5. "Accessibility" — the nightmare of all exchanges

Is there any CeX that has not crashed when the prices rise or fell suddenly? Of course not. I often hear talks among non-technical people about this:

"Man… they are shutting down the system to manipulate the price!!!"

Having worked on the security team of a centralized exchange in the past, I can say firsthand that this is not true for the best exchanges. The problems are usually originally sourced technical. I've listed the origins of the accessibility problem for you, excluding a centralized exchange I've worked within the past:

• Poor quality coding,
• Non-scalable architecture,
• Failing to perform scale tests,
• Problems caused by a third-party service provider/vendor,
• Misconfiguration of the architecture,
• Going for the cheap options! (When choosing staff or technical partners).

One of the things to do when choosing a centralized exchange is to go through the "status" page of that exchange if any, to see what kind of accessibility problems it has experienced (and how often) in the last year. If it does not have a structure available to analyze, it would be wiser not to get involved at all.

For who those seeking a suggestion:

After telling you so many about technical issues and methodologies, I will, of course, recommend a centralized cryptocurrency exchange. But you have to understand that I don't have any sponsorship or collaboration agreement with the exchange I'm going to recommend. I just want you to know that there is a central exchange that implements the security elements I have mentioned here in the best way possible.

If you haven't seen or heard of it yet, the Kraken centralized cryptocurrency exchange will surprise you with its practices that check all the boxes and deserve the big hearts in our “pros” list. But unfortunately, since it is a suggestion based on my findings and not sponsorship, you don't get to have a referral link. LoL. 😅

Last but not least;
A note from SWB; being precautious is always better, not to be sad later.

Sources and Explanations

*¹: Centralized crypto exchanges saw over $14 trillion in trading volume this year
*²: Apple becomes first company to hit $3 trillion market value, then slips
*³: CEXes reaches about $1 trillion for 2021
*⁴: The Witcher Wiki — Mousesack
*⁵: The Witcher Wiki — Doppler
*⁶: The Witcher Wiki — Ciri
*⁷: The Witcher Wiki — Brokilon and Dryads
*⁸: Mobile Applications Security Architecture (in Turkish)

This article was originally published in the Turkish language on 4 February 2022.