In March 2018 there were more than 1,000 cryptocurrencies in circulation, with a total value of over $400 billion – up from $19 billion just a year earlier. While the underlying blockchain technology of the cryptocurrency is in most cases natively secure, with this rapidly growing adoption it is important to examine where the cryptocurrency is vulnerable and how the various players of the ecosystem can secure their investments.
This article will help participants in that cycle to understand these vulnerabilities and improve security, including:
- Issuers of the ICO hosting sites where investors send their currency.
- Operators of cryptocurrency exchanges that often hold and trade millions of dollars of assets.
- Owners of cryptocurrency who must choose an exchange, and then protect their cryptocurrency wallets.
Vulnerabilities for an Emerging Cryptocurrency Industry
Initial Coin Offering
Web Application Firewall
About Imperva Incapsula
Since the inception of Bitcoin in 2009, the volume and value of cryptocurrencies have increased dramatically. Other currencies such as Ethereum, Litecoin, and Stellar have been issued and now there is a steady stream of new currencies issued in initial coin offerings (ICOs). There are now over 1,000 cryptocurrencies in circulation, with a corresponding increase in the number of currency owners. The total value of publicly traded cryptocurrencies is over $400 billion (as of March 6, 2018), having grown from a value of $19 billion just a year ago.
With this rapidly growing adoption, it is important to describe where the cryptocurrency is vulnerable and how the various players of the ecosystem can secure their investment. While the underlying blockchain technology of the cryptocurrency is in most cases natively secure, there are vulnerable points in the cryptocurrency life cycle. This paper will help improve security for participants in that cycle.
Vulnerabilities for an Emerging Cryptocurrency Industry
Here are some of the critical phases of a cryptocurrency lifetime where security is at risk:
- Issuers of the ICO whose site (where the ICO is issued and where investors send their currency) can be attacked to interfere with the offering and later support for the cryptocurrency. In one case the offering site was hacked to change the address for sending investments, thereby diverting a portion of the offering. ICOs websites have been subject to major DDoS attacks to make the site unavailable and disrupt the ICO.
- Operators of cryptocurrency exchanges that often hold millions of dollars of assets at any given point, and trade a large number of assets in real-time transactions. Those sites can be overwhelmed by transactions or subject to attack. In some cases, DDoS attacks caused the exchange to be unavailable for some time.
- Cryptocurrency wallet: Owners of cryptocurrency who must choose an exchange, and then protect their cryptocurrency wallet. Funds have been stolen from private and online wallets using credential-stuffing techniques with stolen credentials or phishing attacks.
Initial Coin Offering
The website or mobile application serving the cryptocurrency is vulnerable just like any site but is an especially tempting target for attackers. There have been attacks on ICO sites that delayed the offering or even siphoned off a portion of the offering cryptocurrency. In one case an attacker switched the official contribution address to the attacker’s anonymous address using a defacing attack. As a result Ether was redirected to that address for several minutes.
ICO is also often subject to large volumetric network or application-layer DDoS attacks.
With the large amounts of transactions, ICO sites require a high level of protection using the following practices:
- Authentication: Keep unauthorized visitors out by requiring strong passwords and two-factor authentication. Do not disclose more information than required on a failed login attempt such as which portion of the login is incorrect.
- Update software and OS: The many software applications used to run the site can contain vulnerabilities. Keep all the software up to date with the latest versions and patches that close vulnerabilities that are detected.
- Validate all input on the client input side and a server. This will prevent the injection of malicious content such as SQL injection and cross-site scripting. See the OWASP Top 10 for more on web vulnerabilities.
- Encryption: Use HTTPS for the entire site.
- Restrict access to the admin page: Allow only selected admin users to access the site admin URLs.
Most importantly, secure your site with an enterprise-class web application firewall. A WAF will protect against all web application attacks and control access to your site and applications.
Those wishing to purchase or trade a cryptocurrency can choose among the many exchanges that provide the service. Besides other considerations in choosing an exchange, the security measures and availability of the exchange must be considered so the stored assets are secured, and the potential trade is not impacted by unexpected delay at the exchange. Such delays can be caused by:
- A DDoS attack that causes the exchange to not be available for trades for some time
- A larger volume of clean transactions than the site can handle such as database overload or server resources overload, resulting in service degradation
As reported in the latest Incapsula Global DDoS Threat Landscape Report, cryptocurrency sites using our services were in the Top 10 industries most targeted by a DDoS attack. While these attacks were all successfully mitigated by Incapsula, there have been several reports of damaging attacks on cryptocurrency exchanges.
There have been instances of each in the past few months, and likely will continue with the growing demand for cryptocurrency. Also, exchanges are a key target since they act as a wallet, and at any given point can store hundreds of millions of dollars of cryptocurrency. Therefore select an exchange with a proven record of being available and secure.
APIs are often the weak points of cryptocurrency exchange websites, as their payload structure is often proprietary making it harder to identify malicious rates or payloads. As a result they are often used as the vector for DDoS or other attacks.
To provide the expected level of service, an exchange must consider the following measures to mitigate the risk of service degradation.
- Provide sufficient bandwidth for the demand. This can be a constant challenge in a market where demand is rapidly increasing. Besides that challenge, it is unlikely to be sufficient to mitigate the large-scale DDoS attacks we are witnessing.
- Monitor traffic to detect when the site is under DDoS attack.
- Detect and stop malicious users by recognizing and filtering traffic such as that originating from known attack addresses, known bot agents, or from locations that are known to be the major source of attacks.
- Protect against account takeover attacks, such as those employing credential stuffing, with strong web site protection as described above for the ICO site.
- Detect and stop malicious application layer requests by recognizing and filtering an excessive number of requests from a single source or user session, known application signatures, and traffic that does not conform to known HTTP protocols.
Protect your APIs, (often the weak point of website protection) as it is more challenging to inspect the legitimacy of their payload. They could either be ineffective due to false positives or on the contrary enable vectors to attacks.
Due to the difficulty of effectively implementing these measures, exchanges can implement services that provide the required level of service and protect against these attacks.
After you purchase cryptocurrency, it’s stored in your digital wallet. In this way, you can receive and send cryptocurrency as you like. The wallet stores the private key that shows ownership of a public key connected to a certain amount of currency in the blockchain. Since the private key cannot be recreated, a lost key is a loss of that cryptocurrency. Also, if someone gains access to the key, he has access to the cryptocurrency funds.
As a result, the safe and secure storage of the wallet is essential. The choice of the wallet is very important too. Just like you can store cash in various locations – such as a wallet or pocket to have with you, a bank or a safe – a few types of wallets are available to store cryptocurrency:
- Software wallet: A desktop or mobile app that provides access to the cryptocurrency. Since they are only accessible from the one device on which it is installed, the wallet provides a high level of security. However if something happens to that device you might not be able to retrieve your private key, and hence lose your currency.
- Online wallet: The wallet is stored on a website and as other data stored in the cloud, accessible from any device. This could, however, be more vulnerable depending on the security provided by the third party. Stolen assets are often the results of credential stuffing attempts. Stolen username and passwords from known or less known sites are for sale on the dark web and are stuffed on these sites, most often by botnets in the login pages, until a username/password combination works.
- Hardware wallet: A dedicated physical device built to store the keys locally provides the highest level of security. To use the wallet, users simply plug the device to an internet-enabled device, enter the device’s pin, and make the transaction.
Using those options, we suggest these steps to secure your cryptocurrency:
- Small amounts online: Just like you usually wouldn’t keep thousands of dollars in your pocket, minimize the amount of cryptocurrency that you keep in your computer or mobile device. Maintain the amounts you require for everyday use in those environments, so that the funds are easily accessible, and maintain the remaining funds in a safer environment, such as a hardware wallet.
- Backup: Regardless of the type of wallet you use, make sure to keep safe backups of everything. Remember that if you lose your wallet private keys, you’ve lost the cryptocurrency. Keep multiple backups on different types of devices (such as USB and paper) at different secured locations so that you have alternate recovery paths.
- Encrypt: Encrypt your wallet with a strong password that you’ll never forget. Consider keeping a copy of the password in a safe location, such as a vault.
- Security layers Employ the additional layers of security that are available in your environment, such as two-factor authentication for login and any transaction. Secure the environment with malware and antivirus protection.
- Use recommended wallets: If you use an online wallet, carefully select one that has an established reputation for secure service. Consider using a wallet that is integrated with your exchange.
- Use a unique password, not used in other websites that could be subject to unreported credential theft.
Creating a new currency and building an exchange are complex businesses. Incapsula website protection and DDoS mitigation can protect your website from the most advanced website attacks, DDoS, and account takeover attacks. Incapsula can provide you with additional cloud-based load balancing and failover or delivery rules solutions to maximize your site availability with ease of operation.
Web Application Firewall
Incapsula’s web application firewall, named by Gartner as a leading WAF for four consecutive years, analyzes all user access to your web application and protects your application from cyberattacks while making sure that specific technologies such as web sockets are not broken. It protects against all web application attacks including OWASP Top 10 threats and blocks malicious bots. Incapsula also controls which visitors can access your application with traffic filtering based on a variety of factors.
The WAF performs profiling of all aspects of the web application to detect attacks, such as preventing a site defacing attack that relies on cross-site scripting. With this protection, your site can avoid annoying validation requests, such as a Captcha, email confirmation, or two-factor authentication that are prevalent on many sites.
To protect cryptocurrency exchange and foundation sites, Incapsula’s DDoS protection automatically detects and mitigates attacks targeting websites and web applications. Incapsula is the only service to offer an SLA-backed guarantee to detect and block attacks in under 10 seconds. Our new Behemoth 2 platform blocked a 650 Gbps (Gigabit per second) DDoS flood with more than 150 Mpps (million packets per second), with the capacity to spare. We expect that capacity will be tested further as the size of attacks continues to increase.
Besides handling large volumetric attacks, Incapsula specializes in protection for these types of DDoS attacks.
- Complex application, or Layer 7, attacks that target applications on your web server. These attacks require a smaller volume to be effective, measured in packets per second, but are harder to detect. The Forrester Wave reports Imperva to be among the top-ranked in the ability to detect and mitigate application-layer attacks.
- Large scale attacks consisting of a huge volume of requests that are orchestrated via the API provided by many sites. API traffic is filtered with minimal false positives. Check these practices to secure your API.
Content delivery networks offer an efficient way for cryptocurrency exchanges to address exponential growth and build their business to scale. In addition to the DDoS service protection, Incapsula CDN offers the following services that can help improve the robustness of cryptocurrency exchanges when under heavy load.
- Global content delivery network (CDN) improves your site’s speed and performance with its intelligent caching and its high-speed storage and optimization tools. With over 40 PoPs deployed, Incapsula provides significant improvement to page loading time.
- Incapsula cloud load balancing enables exchanges to easily scale, add servers and failover data centers and add delivery and forwarding rules from the cloud with no downtime.
- Credential stuffing and account takeover protection with the ability to define rules that provide additional protection of login pages that prevent bots from performing credential stuffing. This mitigates major account takeover threats in the cryptocurrency domain in which hackers use stolen credentials for fraud.
- Traditional security measures against brute force attacks block high rate requests to the /login page from a given IP. However there have been recent attacks that bypass such filters by sending thousands of bots in infected computers at a very low rate. Incapsula CDN can prevent attacks even at a low rate since it can block or add a challenge to any non-human visitor reaching the /login page without slowing down the page load.
- Advanced bot classification and mitigation utilizing advanced rules
- API protection, with extremely low false positives while keeping a high level of protection including DDoS attacks targeting APIs
With these services in place, you can ensure that the site will always be available.
The variety and volume of cryptocurrencies continue to rise and attacks on cryptocurrency continue to increase in size, complexity, and frequency. The associated institutions must understand the need for dedicated and advanced WAF and DDoS protection services, to minimize financial, operational, and reputation risks associated with the attacks.
The best practices outlined in this paper will help institutions build a sound mitigation strategy. These measures include monitoring of application and network traffic, detection and filtering of malicious users and identification and blocking of malicious requests.
Incapsula offers cloud-based WAF and DDoS protection services that address all of the key requirements, enabling cryptocurrency institutions to keep their websites and online applications up and running with high availability, performance, and user experience.
About Imperva Incapsula
Imperva Incapsula is a cloud-based application delivery service that protects websites and increases their performance, improving end-user experiences and safeguarding web applications and their data from attack. Incapsula includes a web application firewall to thwart hacking attempts, DDoS mitigation to ensure DDoS attacks don’t impact online business assets, a content delivery network to optimize web traffic, and a load balancer to maximize the potential of web environments.
Only Incapsula provides enterprise-grade website security and performance without the need for hardware, software, or specialized expertise. Unlike competitive solutions, Incapsula uses proprietary technologies such as client classification to identify bad bots, and big data analysis of security events to increase accuracy without creating false positives.