Research Summary
The report by Dilation Effect and WuBlockchain delves into the security measures of cryptocurrency exchanges, focusing on password leaks in mainstream exchange accounts. The research evaluates the security strength of common two-factor authentication (2FA) mechanisms and provides recommendations for exchanges and users to enhance their security settings.
Key Takeaways
Password Leaks in Mainstream Exchange Accounts
- Widespread password leaks: The research found thousands of plaintext records containing usernames and passwords for mainstream exchanges, with an estimated accuracy rate of 10% to 20%.
- Security risks: While account and password leaks do not automatically result in financial losses, users remain at risk if they have not configured their security settings adequately.
- 2FA vulnerabilities: If a user’s email account uses the same credentials as their exchange login email, attackers can easily acquire the email verification code needed for 2FA, gaining access to the user’s account.
Security Comparison of Common 2FA Mechanisms
- Email verification: The report highlights that email verification codes are not stable security verification factors and the security of email verification is notably low.
- SMS verification: SMS verification codes also face vulnerabilities in numerous attack scenarios, including fake base station assaults and Sim-swapping attacks.
- Recommended 2FA methods: Dilation Effect recommends that users, at the very least, configure Google Authenticator as their fundamental security setting. Users with higher security requirements may opt for physical Security Keys.
Recommendations for Exchanges and Users
- Emergency response protocols: Exchanges should immediately initiate emergency response protocols to investigate instances of leaked user account passwords and guide affected users to change their passwords and enhance their account security settings.
- Secure by Default design approach: Exchanges should adopt a “Secure by Default” design approach, prioritizing user account security.
- Importance of network security: Users should respect the importance of network security and enable Google Authenticator for their accounts.
Actionable Insights
- Enhance security measures: Cryptocurrency exchanges should enhance their security measures, including initiating emergency response protocols in case of password leaks and adopting a “Secure by Default” design approach.
- Configure Google Authenticator: Users should, at the very least, configure Google Authenticator as their fundamental security setting to protect their accounts.
- Regular monitoring: Exchanges should regularly monitor user account password leaks to ensure the safety of user funds.
