When its a question of running an Exchange, SECURITY is a thing of foremost importance. Everything else can take a back seat. Let’s look at the checklist of security measures that Cointronix Cryptocurrency Exchange has implement during development and also at the User end.
On the Technology / Code Front
HTTPS: We have used Https everywhere. Any information transferred between our server pages to the users system is only over a secure line.
Bcrypt Hashing Technique: All the passwords stored in the Cointronix Exchange are hashed using an effective irreversible hashing technique. We use advanced Bcrypt hash to store sensitive information. Besides incorporating a salt to protect against rainbow table attacks, Bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power
Session Identifier: We have made sure that after each logout, the session identifier is destroyed. This can be a single largest security threat if not taken care of.
Timeout Sessions Management: We have timed the entire session management. Like in Banking websites, we monitor for in-activity and timeout sessions. If multiple sessions are detected, we destroy all active sessions. Upon the customer or user resetting the password, we destroy all active sessions. We make sure that ownership of all the resource pages in Cointronix Exchange (like Transaction History, Trade, Withdrawal / Deposits etc.) is that of the logged in user using the session id.
State Parameter in OAuth2: During development, we made it a standard practice to use the State parameter in OAuth2 effectively. Generally, other exchanges place the redirection URL in the Redirect_URI parameter, which can open up a nasty security vulnerability that allows the attacker to insert arbitrary strings. Hacker bypasses the pattern matching to the extent of disabling fragment processing in the browser, intercept the response and pass on un-wanted commands to the exchange to execute. This was one of the security vulnerability that the hackers used in the famous MTGOX hack.
Cookies Management: Cookies management and processing is something we have given extra attention to in the Cointronix Exchange. We have set only ‘secured’ & ‘Http only’ cookies.
Jason Web Tokens: We tried to employ Jason Web Tokens where possible for representing claims between two parties.
One Time Password: OTP (One Time Password) is secure but has become an age old technique that hackers know a lot of loop holes in. We built modules that listen to and watch if a particular user is doing too many attempts for generating or re-sending OTPs and limit their access programmatically.
Reset Password Token: Prediction in the pattern of reset password token is a common loophole used by Hackers. We have ensured random effect in the reset password token that is generated and sent to users Email. We have also managed expiration of such reset tokens in a very strict time limit.
RFC complaint UDIDs: We adopted the best practice of using RFC complaint UDIDs for User_id etc.
SMS Authentication: Like banking systems any edit in the personal contact details of the users like their mobile number, email ID, address etc. is done via. an SMS verification to the owner.
KYC Document Uploads: To neutralize the shell technique used by the hackers to gain access to the exchange server, we are very careful while allowing KYC document uploads- how to allow users to upload files and what type of files are allowed. We do a strict mime check on the file types and the filenames for patterns. As a best practice we get the uploaded documents sit in an external Amazon instance rather than inside the main server.
Cross Site Scripting: We employed Content Security Policy headers to fight Cross Site Scripting and Data injection attacks. We also implemented CSFR headers to defend the cross site forgery attacks.
HTTP Strict Transport Security: We implemented HTTP Strict Transport Security across the exchange to avoid the Secure Sockets Layer stripping attacks.
Cickjacking: We have taken steps to protect the Exchange from Cickjacking and cross site attacks by making effective use of X-Frame and X-XSS securing.
Countering Phishing Techniques: We keep updating Domain Name System records to add Sender Policy Framework. This effectively counters hacker’s Phishing Techniques to trick our users from the original site.
On the Exchange Front
Multi Signature: We use two private keys to validate every transaction on our Cryptocurrency exchange. Employing the multisig technology instantly adds another layer of security to the transactions.
Time-locked Transactions: All transactions on Cointronix Exchange are executed on a specific time-lock and across several steps based on the configuration of the time-lock. If there is a mismatch in the different keys used in the different steps, the transaction will be immediately rolled back, making it near impossible for the hacker to withdraw crypto even by unauthorized access.
Cold Wallet–Hot Wallet Balance: Our Cold Storage wallet is totally un-plugged from the Exchange servers by a near to impossible firewall. Cointronix uses intelligent algorithms to transact back & forth to the cold wallet and hot wallet based on the predicted liquidity required for the hour.
2 Factor Authentication: Using the Google Authenticator as a 2 Factor Authentication process prevents malicious hacks to gain unauthorized access into users accounts to a great extent.
Cloud Flare: Cointronix implemented Cloud Flare to secure the exchange and APIs from online cyber-attacks including DDOS.
Hardware Security Modules (HSM): Cointronix servers use Hardware Security Modules (HSM) to protect its blades. Our servers are sophisticated enough to even wipe out all security keys in case it detects a breech has happened. It can also manage keys and provide secure execution of certain sensitive codes.
- bit security