Running cryptocurrency exchanges could be a profitable venture, but there’s always the risk of a cyber attack. This is a general trend globally, but if you operate one in South Korea, you’re in for a rude awakening. Pending any change in plans, crypto exchanges in South Korea will now bear the full cost for hacks, regardless of who’s at fault.
Per reports from Asian news agency The Korea Herald, five exchanges have significantly increased their liability to users in the event of hacks. By updating their terms of service, these platforms have implemented a corrective recommendation by the Fair Trade Commission (FTC), the country’s financial watchdog.
Increased Liability
According to the report, the FTC, had recommended an updated term of service for crypto exchanges operating in the country, as far back as 2018. Previously, South Korean exchanges were not held liable for cyber attacks that didn’t occur due to negligence or system failure on their part.
However, as the news report states, these exchanges would now be held responsible for any unsanctioned transactions, regardless of whether the fault lies with their systems or not. Some of these exchanges have tried their best to keep accountability and own up to their mistakes.
Take Bithumb, for example. The last hack report on the popular exchange came back in March, when it posted that it had noticed some abnormal withdrawals on its system. In an accompanying blog post, the exchange claimed responsibility for the hack, arguing that while its security had been developed enough to deal with external attacks, this one “involved insiders.”
[Notice????]
We deeply apologize to our members for delaying the cryptocurrency deposit and withdrawal service, we would like to inform you of the circumstances of the grounds and confirm that your assets are safe.
For more details >> https://t.co/dOvT78P0sK— Bithumb (@BithumbOfficial) March 30, 2019
While the post claimed that about 3 million EOS (worth about $12.5 million at the time) in exchange funds were stolen, a separate report by The Block revealed that about 20 million XRP (worth about $6.2 million at the time) was also taken.
Unfair to Exchanges?
As can be expected, this increased liability could potentially be damaging for any exchange affected by a hack in the future. While many security breaches on crypto platforms can be traced to flaws and negligence on the part of the exchanges themselves, customers also share a little of the blame.
As exchanges now bear all of the liability, they’ll be responsible for reimbursing their clients, while also ensuring that any hacks don’t affect their bottom line.
Customer protection will finally be a priority, which could see available profits diverted to providing customer reimbursements, while reserves (for those who have, at any rate) could also be depleted much sooner than expected as well. As Blockonomi reported, Bithumb posted a net loss of $180 million, last year.
Putting all of the liability on the exchanges seems a tad unfair, especially when we consider how much assets these platforms hold. Exchanges bearing the total burden could also serve as an incentive for customers to be rather careless with their login details and private keys. For a perfect example of the latter, take the recent phishing attempt on UPbit.
CoinDesk Korea reported last month that suspected hackers sent Emails to UPbit’s customers concerning their account information. The impersonators faked a giveaway, while their Emails were said to have contained a dangerous attachment.
The attachment was identified as “Event Winner Personal Information Collection and Usage Agreement.hwp,” and according to the report, it automatically runs malicious code on the host computer when opened. Upbit caught wind of this, and immediately published a statement, instructing users not to open any mail from the address “events@UpBit.co.kr.”
With the new terms and conditions, any person who- for some reason or the other- failed to see the UPbit warning and who ended up providing their information to the impersonators would still be let off the hook. The liability would fall entirely on UPbit.
For as long as they’ve been in operation, exchanges have only had to worry about ensuring the highest safety standards from their end. Now, they need to hope that their customers stay vigilant and security-conscious as well.
1 Comment
This mandate by the Korean FTC raises the bar on security. Exchanges will be challenged to prevent hacks using conventional single signature and multi-signature transaction authorization schemes.
Threshold signatures have recently gained momentum for improving security and mitigating the risk of stolen or lost digital assets. Unlike multi-sig, threshold-sig allows exchanges to implement multiparty approvals without the burden of increasing the transaction size or the transaction fees.
This makes it practical for exchanges to increase security by moving to a 3 party approval scheme.
1) The end user approves using their credentials
2) The exchange approves after verifying the credentials and that the transaction complies with the exchange’s policies,
3) A trusted third party approves after verifying the exchange has not been hacked and the transaction complies with exchange policies.
This approach will dramatically reduce the potential for theft, both by external hackers and internal bad actors.
Sepior has an interesting white paper on threshold signatures if you’re interested. https://sepior.com/thresholdsig