The Binance Hack shows us once again that simply by moving the world to blockchain, it will not remove the risks associated with two major areas: Users and Basic Best Practice Hygiene. It’s frustrating to me as a 20-year practitioner that we continue to make the same mistakes as 20-years ago, just in a different programming language.

Risk Area 1: End Users

First, systems are only as weak as the users. No matter how good the system is, any loss of information, compromise, virus, misunderstanding, or exploit of an end user or their ‘key’ to your system WILL result in a compromise to their account. Sometimes a backend system will catch a transaction that is unexpected but often ‘insurance’ just pays back the user because most financial institutions still will not accuse their users of being stupid or provide help to make an end-user computer system better, it’s better PR to just make them whole. Good on Binance … they just made the users whole. From a prevention standpoint though, until there are more measures directly aimed at proving the intent and identity of the user, with backend detection, AI, behavior, signal detection, instrumentation, incidents will continue to happen within #blockchain infrastructures just as in any traditional system.

Risk Area 2: Lack of Basic Hygiene

Second, companies have to stop Skipping basic cybersecurity hygiene! I’m very happy to read that Binance had back-end systems that noticed something, but I’m guessing that they do not have a fully functional managed security provider, SIEM, behavior tool, systems instrumentation, etc. I have not talked to Binance specifically but have tried reaching out to exchanges to ask about their cybersecurity abilities, and without fail get “We take care of all of that internally.” Unless these exchanges have all built a fully operational staff of cyber experts (haha) these breaches will continue to happen. Please do not believe that your expert developers understand cybersecurity like the actual cyber experts. 90% of a blockchain system is the same application risks as a traditional data center system. Don’t forget what we have learned from NIST, PCI, HIPAA, etc.

If you run a crypto project or an exchange, I would love the opportunity to have my team run a short cybersecurity assessment on your environment and start to make some headway in improving architecture, monitoring, or response so that we can get your detection and response time to near zero.

Scott J. Carlson

Scott J. Carlson

Head of Blockchain Security at Kudelski Security
Scott Carlson currently serves as Kudelski Security's Head of Blockchain Security. He has spent nearly 20 years leading security, operations, and engineering efforts at Charles Schwab, PayPal, Beyond Trust, University of Phoenix, and most recently as CISO with blockchain/supply-chain company Sweetbridge. He believes operations and architecture can meet with a common sense approach to security and that blockchain projects can be delivered effectively with uncompromising security built in from the outset.
Scott J. Carlson