It’s not surprising that apart from fees and fake volumes, cybersecurity is an essential factor to consider while choosing the exchange. Vital to note that before CER, no analytical platform has ever comprehensively assessed the level of protection of crypto exchanges. In March 2014, Poloniex lost $64,000; in August 2016, $77 million was stolen from Bitfinex, and in half a year, Bithumb suffered a theft of $1 million.
Can we assume that if CER had been created in April 2014, all these hacks could have been avoided as both users and developers could have checked the security parameters of these three exchanges and learned about the flaws in the system’s protection? Who knows! Today it’s quite possible to avoid the loss of funds by checking crypto exchanges security. Let’s check how to do it using CER!
What can you expect from Cyber Security Score?
Cybersecurity comprises technologies, processes, and controls designed to protect systems, networks, and data from cyber-attacks. Effective cybersecurity of exchanges reduces the risk of cyber-attacks and protects its customers (traders) from theft. Cyber Security Score (CSS) is one of the four main totals provided by Crypto Exchange Ranks (CER) to calculate the complex rating of crypto exchanges. It is an assessment of the cybersecurity characteristics of exchanges that consists of three weighted subtotals: APP LVL Security (Application level security), SSL ( Secure Sockets Layer)/TLS (Transport Layer Security) connection, and Domain Security. Further, each of the subtotals is comprised of several metrics (see Table 2 for more detailed CSS components).
Table 1 shows heat mapped CSS for all exchanges covered by CER.
Kraken exchange has the highest Cyber Security Score (9.23 points) because it has perfect SSL/TLS connection, domain security, and good application security (10, 10, and 7.92 points respectively). Cex.io is just 0.05 points behind the leader and lags slightly when it comes to domain security (9.82 vs 10.00). Binance has perfect application security as well as SSL/TLS connection, but it falls behind when it comes to domain security with just 6.70 points. Therefore, it moved to the 3rd position on the CSS rank with 9.01 points. It is worth noting that Kucoin is the only exchange covered by CER that has a very low estimated SSL/TLS connection. Also, we should consider that 15 out of 18 crypto exchanges have similar Domain Security subtotals, and only Kucoin, which is far behind all other exchanges, has a remarkably low rank.
Components of Cyber Security Score to count on
Here’s a detailed description of the components of each subtotal. APP LVL Security (Application level security) includes:
- Server security (SS) – the protection of information assets that can be accessed from a Web server.
- Captcha (C) – website and user protection from automatic actions (brute force, spam etc.).
- Multi-factor authentication (MFA) – an additional level of security that protects the accounts of users.
SSL/TLS connection has the following structural units:
- Compliance with requirements (CR) – checks for outdated SSL / TLS algorithms in server settings. Outdated algorithms allow hackers to decrypt user traffic and gain access to logins/passwords
- Most recent SSL/TLS vulnerabilities and weaknesses (VW) – checks for the known SSL / TLS vulnerabilities. These vulnerabilities allow hackers to decrypt the traffic and gain access to logins/passwords, the server, private keys, etc.
- Presence of third-party content (TPC) – if a website contains third-party content and uses HTTP transmission, an attacker can replace the transmission with another one and steal the accounts of users.
Domain security, in turn, has the following components:
- SPF domain records (SPF) – verify the letter sender and protects from forgery (email spoofing).
- DNSSEC records (DNSSEC) – protects users from a substitution of IP-address (example: original – binance.com:192.168.2.20, fake – binance.com:188.8.131.52).
- Web application firewall (WAF) – protects exchanges from various attacks; sqli, rce etc.
How to compare exchanges by CSS
Table 2 shows the Top-3 crypto exchanges with the highest CSS ranksEven though Kraken has a low Captcha component compared to that of Cex.io and Binance, and, therefore, only has an APP LVL Security subtotal of 7.92 (10.00 for Binance), this exchange still holds the 1st position due to the perfect SPF domain records component, and, as a result, has a Domain Security subtotal of 10.00. This allows Kraken to overperform Binance by CSS. Binance, as described above, has perfect APP LVL Security and SSL TLS connection subtotals, but the absence of DNSSEC records and, as a result, the DNSSEC component score of 0 lowered the Domain Security subtotal to 6.70 (from Table 1, we can see that this score is average). For this reason, Binance finished 3rd.
Table 3 shows the Bottom-3 crypto exchanges, which have the worst CSS scores.Kucoin occupies the last position of our CSS rating. It is the only exchange that has no web application firewall. Therefore, despite scores similar to those of the other Bottom-3 exchanges in SPF and DSSSEC, Kucoin`s Domain Security score is 2.85 (for Gemini and Exmo it is 6.70). Further, Kucoin is the only exchange that has a very low estimated SSL/TLS connection due to a messy system structure. The total SSL/TLS connection for this crypto exchange is only 2.00 (against 10.00 points for all other exchanges covered by CER). It is worth noting that Kucoin scored relatively higher on application security (5.83 vs 4.10 and 3.82 for Gemini and Exmo respectively).
Cybersecurity in the modern world is crucial. Computer networks have been susceptible to attacks since they were created, and it seems that the threat of cyber-attacks will grow along the networks. Fortunately, proper equipment and specialists make it much easier to detect potential attacks and restore losses from cyber attacks. Cyber Security Score by CER gives you an idea of the possible risks associated with trading on certain crypto exchanges.
Therefore, if you learn how to utilize the CER Cyber Security Scoring to the full extent, you’ll simply determine which exchange isn’t secure for holding your funds.
Make the right decisions, choose riskless exchanges while CER is free!
Share your experience of using CER in …