SlideShare a Scribd company logo

Fintech security

Glib Pakharenko
Glib Pakharenko

This document discusses various cybersecurity issues facing the cryptocurrency and FinTech industries. It notes that 36 cryptocurrency exchanges are now defunct due to hacks that stole over 950,000 bitcoins. Mining software is also vulnerable to exploits that could allow attackers to redirect funds or install malware. The document recommends using multisignature wallets, key derivation, blockchain records, cold storage, backups and other techniques to better manage security risks for cryptocurrency projects.

Technology
1 of 20
Download to read offline
Unifying the Global Response to Cybercrime FinTech Security Glib Pakharenko gpaharenko (at) gmail.com 2016-04-02
Unifying the Global Response to Cybercrime FinTech is under attack
Unifying the Global Response to Cybercrime 36 exchanges no longer operate  13 exchangers claim to have been hacked. In total, more than 950,000 bitcoins have been stolen from their rightful owner. 1. AllCrypt 2. Bitcoin 3. Bitcoin Brasil 4. Bitcoinica 5. Bitfloor 6. BitMarket.eu 7. Bitomat 8. Bitspark 9. Bitstake 10. BitYes 11. Britcoin 12. Coin 13. CoinEX 14. Coin.Mx 15. Comkort 16. Crypto 17. Cryptorush 18. Excoin 19. FXBTC 20. Harborly 21. Intersango 22. Kapiton 23. LibertyBit 24. McxNOW 25. Melotic 26. MintPal 27. MtGox 28. Prelude 29. SwissCEX 30. The Bitcoin Market 31. Tradehill 32. UpBit 33. Vault of Satoshi 34. Virtex 35. WeExchange 36. Yacuna
Unifying the Global Response to Cybercrime Dead altcoins
Unifying the Global Response to Cybercrime Malware steal bitcoins
Unifying the Global Response to Cybercrime Is bitcoin-core secure?
Unifying the Global Response to Cybercrime Is bitcoin-core secure?
Unifying the Global Response to Cybercrime Mining software is vulnerable Just a quick view revealed multiple bugs in mining clients BFGMiner, SGMinger, CGMiner:  CVE 2014-4501 describes an attacker’s ability to overflow a stack buffer via a long URL argument in the “client.reconnect” message.  CVE 2014-4502 enables an attacker to send a large or negative nonce length parameter to the client which causes the miner to calculate an insufficient buffer size for new Blocks and overwrite heap memory.  CVE 2014-4503 An attacker in the middle of a connection can send a “mining.notify” message with malformed parameters to the client.
Unifying the Global Response to Cybercrime Mining software is vulnerable (cont.)  An attacker can sniff the cleartext credentials in the mining.authorize message. These credentials may be used elsewhere across the internet and may lead to account compromise.  An attacker in the middle of a connection can replace the Bitcoin address in the username field of a mining.authorize message with their own to steal the users’ payouts from the pool.  An attacker can spoof a “client.reconnect” message from the pool to redirect the miner to a private pool. This reconnection would not be initially obvious to the users and the pool would not need to payout any shares of the Block rewards.  An attacker or malicious pool can send a message containing a malicious payload that remotely executes code on a victim’s machine. This can be used to install malware such as rootkits and keyloggers.  An attacker can perform a Dos attack against pool members.
Unifying the Global Response to Cybercrime Mining issues The chain of events lead to financial loss for miners: • late software update • dependency on the OpenSSL software • hard fork • SPV nodes conflicted with up2date full nodes
Unifying the Global Response to Cybercrime Randomness issues The problem: • weakness in the random generation with the aid of Java Cryptography Architecture (JCA) for Android • use of the http://random.org site to get random numbers over unencrypted connection and without server error handling
Unifying the Global Response to Cybercrime Passphrase wallets weakness
Unifying the Global Response to Cybercrime Insider threats
Unifying the Global Response to Cybercrime Cold wallet is not enough
Unifying the Global Response to Cybercrime 51% issue
Unifying the Global Response to Cybercrime Bitcoins can be just lost
Unifying the Global Response to Cybercrime Lawenforcement can take your bitcoins
Unifying the Global Response to Cybercrime Lawenforcement can take your bitcoins
Unifying the Global Response to Cybercrime What to do?  Manage the project risk and recognize the IT security risk  Use the power of Blockchain: • MULTISIG • Key derivation • Rely on Blockchain (record the transaction) • Cold wallets • Backups • Use recent achievements in Blockchain technology and smart contracts  Use the application security standards: • Open Application Security Maturity Model (OpenSAMM) • Application Security Verification Standard (ASVS) • OWASP Proactive controls • OWASP TOP 10 for web and mobile  Manage the security (use ISO27001 and Cobit 5)
Unifying the Global Response to Cybercrime Let’s get in touch!

Recommended

MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
Steven Rhyner
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
HackerOne
 
The Lightning Network - A gentle introduction
The Lightning Network - A gentle introductionThe Lightning Network - A gentle introduction
The Lightning Network - A gentle introduction
Roland Stadler
 
Os Kroahhartman
Os KroahhartmanOs Kroahhartman
Os Kroahhartman
oscon2007
 
Malicious traders
Malicious tradersMalicious traders
Malicious traders
Aleks Gostev
 
Hack In The Box (Dubai) 04172008
Hack In The Box (Dubai) 04172008Hack In The Box (Dubai) 04172008
Hack In The Box (Dubai) 04172008
guesta84549
 
Bitcoin economics brian crain
Bitcoin economics brian crainBitcoin economics brian crain
Bitcoin economics brian crain
Brian Fabian Crain
 
Block Con 2017 LA
Block Con 2017 LABlock Con 2017 LA
Block Con 2017 LA
Paul Walsh
 

Recommended

MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
Steven Rhyner
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
HackerOne
 
The Lightning Network - A gentle introduction
The Lightning Network - A gentle introductionThe Lightning Network - A gentle introduction
The Lightning Network - A gentle introduction
Roland Stadler
 
Os Kroahhartman
Os KroahhartmanOs Kroahhartman
Os Kroahhartman
oscon2007
 
Malicious traders
Malicious tradersMalicious traders
Malicious traders
Aleks Gostev
 
Hack In The Box (Dubai) 04172008
Hack In The Box (Dubai) 04172008Hack In The Box (Dubai) 04172008
Hack In The Box (Dubai) 04172008
guesta84549
 
Bitcoin economics brian crain
Bitcoin economics brian crainBitcoin economics brian crain
Bitcoin economics brian crain
Brian Fabian Crain
 
Block Con 2017 LA
Block Con 2017 LABlock Con 2017 LA
Block Con 2017 LA
Paul Walsh
 
Актуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПАктуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТП
uisgslide
 
Огляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в УкраїніОгляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в Україні
Glib Pakharenko
 
Кібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в УкраїніКібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в Україні
Glib Pakharenko
 
Кращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологійКращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологій
Glib Pakharenko
 
Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0
uisgslide
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018
Luno
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain Security
Johnson, Chuan Zhang CISM CCSK OSCP
 
Hta r35
Hta r35Hta r35
Hta r35
SelectedPresentations
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service Brochure
Jean-Phi N✅
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?
Global Knowledge Training
 
Regtech in the era of intermediaries
Regtech in the era of intermediariesRegtech in the era of intermediaries
Regtech in the era of intermediaries
Tim Swanson
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
v_raj
 
Top 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsTop 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk Factors
Maxim Kozlovsky
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
Robert Leong
 
Cryptocurrency - Digital Currency
Cryptocurrency - Digital CurrencyCryptocurrency - Digital Currency
Cryptocurrency - Digital Currency
Sameer Satyam
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
 
Introduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and CryptosIntroduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and Cryptos
ssuser18349f1
 
Ransomware webinar may 2016 final version external
Ransomware webinar may 2016 final version externalRansomware webinar may 2016 final version external
Ransomware webinar may 2016 final version external
Zscaler
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in Cybersecurity
Cyphort
 
The Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins ChicagoThe Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins Chicago
Jeff Garzik
 
The Next Frontier of Bitcoin
The Next Frontier of BitcoinThe Next Frontier of Bitcoin
The Next Frontier of Bitcoin
MecklerMedia
 

More Related Content

Viewers also liked

Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 

Viewers also liked (6)

Актуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПАктуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТП
 
Огляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в УкраїніОгляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в Україні
 
Кібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в УкраїніКібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в Україні
 
Кращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологійКращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологій
 
Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 

Similar to Fintech security

Top 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsTop 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk Factors
Maxim Kozlovsky
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
Robert Leong
 
Cryptocurrency - Digital Currency
Cryptocurrency - Digital CurrencyCryptocurrency - Digital Currency
Cryptocurrency - Digital Currency
Sameer Satyam
 
Ransomware webinar may 2016 final version external
Ransomware webinar may 2016 final version externalRansomware webinar may 2016 final version external
Ransomware webinar may 2016 final version external
Zscaler
 

Similar to Fintech security (20)

Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain Security
 
Hta r35
Hta r35Hta r35
Hta r35
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service Brochure
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?
 
Regtech in the era of intermediaries
Regtech in the era of intermediariesRegtech in the era of intermediaries
Regtech in the era of intermediaries
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
Top 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsTop 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk Factors
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
 
Cryptocurrency - Digital Currency
Cryptocurrency - Digital CurrencyCryptocurrency - Digital Currency
Cryptocurrency - Digital Currency
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
Introduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and CryptosIntroduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and Cryptos
 
Ransomware webinar may 2016 final version external
Ransomware webinar may 2016 final version externalRansomware webinar may 2016 final version external
Ransomware webinar may 2016 final version external
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in Cybersecurity
 
The Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins ChicagoThe Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins Chicago
 
The Next Frontier of Bitcoin
The Next Frontier of BitcoinThe Next Frontier of Bitcoin
The Next Frontier of Bitcoin
 
Why is a crypto wallet the gateway to Web3.
Why is a crypto wallet the gateway to Web3.Why is a crypto wallet the gateway to Web3.
Why is a crypto wallet the gateway to Web3.
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIO
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIOBITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIO
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIO
 
Ntewrok secuirty cs1
Ntewrok secuirty cs1Ntewrok secuirty cs1
Ntewrok secuirty cs1
 

More from Glib Pakharenko

Automating networksecurityassessment
Automating networksecurityassessmentAutomating networksecurityassessment
Automating networksecurityassessment
Glib Pakharenko
 
Кому нужна защита персональных данных
Кому нужна защита персональных данныхКому нужна защита персональных данных
Кому нужна защита персональных данных
Glib Pakharenko
 
Copy of Кому нужна защита персональных данных censored edition
Copy of Кому нужна защита персональных данных censored editionCopy of Кому нужна защита персональных данных censored edition
Copy of Кому нужна защита персональных данных censored edition
Glib Pakharenko
 
Кому нужна защита персональных данных censored edition
Кому нужна защита персональных данных censored edition Кому нужна защита персональных данных censored edition
Кому нужна защита персональных данных censored edition
Glib Pakharenko
 

More from Glib Pakharenko (20)

Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risks
 
Top mistakes that allows to make a successful pentest
Top mistakes that allows to make a successful pentestTop mistakes that allows to make a successful pentest
Top mistakes that allows to make a successful pentest
 
State of cyber-security in Ukraine
State of cyber-security in UkraineState of cyber-security in Ukraine
State of cyber-security in Ukraine
 
Uisg5sponsorreport eng v03_ay
Uisg5sponsorreport eng v03_ayUisg5sponsorreport eng v03_ay
Uisg5sponsorreport eng v03_ay
 
Uisg5sponsorreport
Uisg5sponsorreportUisg5sponsorreport
Uisg5sponsorreport
 
Using digital cerificates
Using digital cerificatesUsing digital cerificates
Using digital cerificates
 
Abra pocket office
Abra pocket officeAbra pocket office
Abra pocket office
 
Utm
UtmUtm
Utm
 
Automating networksecurityassessment
Automating networksecurityassessmentAutomating networksecurityassessment
Automating networksecurityassessment
 
социальные аспекты иб V3
социальные аспекты иб V3социальные аспекты иб V3
социальные аспекты иб V3
 
Uisg opening
Uisg openingUisg opening
Uisg opening
 
Pentest requirements
Pentest requirementsPentest requirements
Pentest requirements
 
Kke
KkeKke
Kke
 
Isaca kyiv chapter_2010_survey_finding_summary_v07_ay
Isaca kyiv chapter_2010_survey_finding_summary_v07_ayIsaca kyiv chapter_2010_survey_finding_summary_v07_ay
Isaca kyiv chapter_2010_survey_finding_summary_v07_ay
 
Uisg companies 4
Uisg companies 4Uisg companies 4
Uisg companies 4
 
Кому нужна защита персональных данных
Кому нужна защита персональных данныхКому нужна защита персональных данных
Кому нужна защита персональных данных
 
Copy of Кому нужна защита персональных данных censored edition
Copy of Кому нужна защита персональных данных censored editionCopy of Кому нужна защита персональных данных censored edition
Copy of Кому нужна защита персональных данных censored edition
 
Кому нужна защита персональных данных censored edition
Кому нужна защита персональных данных censored edition Кому нужна защита персональных данных censored edition
Кому нужна защита персональных данных censored edition
 
Uisg cert
Uisg certUisg cert
Uisg cert
 
Uisg4sponsorreport 1
Uisg4sponsorreport 1Uisg4sponsorreport 1
Uisg4sponsorreport 1
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Fintech security

  • 1. Unifying the Global Response to Cybercrime FinTech Security Glib Pakharenko gpaharenko (at) gmail.com 2016-04-02
  • 2. Unifying the Global Response to Cybercrime FinTech is under attack
  • 3. Unifying the Global Response to Cybercrime 36 exchanges no longer operate  13 exchangers claim to have been hacked. In total, more than 950,000 bitcoins have been stolen from their rightful owner. 1. AllCrypt 2. Bitcoin 3. Bitcoin Brasil 4. Bitcoinica 5. Bitfloor 6. BitMarket.eu 7. Bitomat 8. Bitspark 9. Bitstake 10. BitYes 11. Britcoin 12. Coin 13. CoinEX 14. Coin.Mx 15. Comkort 16. Crypto 17. Cryptorush 18. Excoin 19. FXBTC 20. Harborly 21. Intersango 22. Kapiton 23. LibertyBit 24. McxNOW 25. Melotic 26. MintPal 27. MtGox 28. Prelude 29. SwissCEX 30. The Bitcoin Market 31. Tradehill 32. UpBit 33. Vault of Satoshi 34. Virtex 35. WeExchange 36. Yacuna
  • 4. Unifying the Global Response to Cybercrime Dead altcoins
  • 5. Unifying the Global Response to Cybercrime Malware steal bitcoins
  • 6. Unifying the Global Response to Cybercrime Is bitcoin-core secure?
  • 7. Unifying the Global Response to Cybercrime Is bitcoin-core secure?
  • 8. Unifying the Global Response to Cybercrime Mining software is vulnerable Just a quick view revealed multiple bugs in mining clients BFGMiner, SGMinger, CGMiner:  CVE 2014-4501 describes an attacker’s ability to overflow a stack buffer via a long URL argument in the “client.reconnect” message.  CVE 2014-4502 enables an attacker to send a large or negative nonce length parameter to the client which causes the miner to calculate an insufficient buffer size for new Blocks and overwrite heap memory.  CVE 2014-4503 An attacker in the middle of a connection can send a “mining.notify” message with malformed parameters to the client.
  • 9. Unifying the Global Response to Cybercrime Mining software is vulnerable (cont.)  An attacker can sniff the cleartext credentials in the mining.authorize message. These credentials may be used elsewhere across the internet and may lead to account compromise.  An attacker in the middle of a connection can replace the Bitcoin address in the username field of a mining.authorize message with their own to steal the users’ payouts from the pool.  An attacker can spoof a “client.reconnect” message from the pool to redirect the miner to a private pool. This reconnection would not be initially obvious to the users and the pool would not need to payout any shares of the Block rewards.  An attacker or malicious pool can send a message containing a malicious payload that remotely executes code on a victim’s machine. This can be used to install malware such as rootkits and keyloggers.  An attacker can perform a Dos attack against pool members.
  • 10. Unifying the Global Response to Cybercrime Mining issues The chain of events lead to financial loss for miners: • late software update • dependency on the OpenSSL software • hard fork • SPV nodes conflicted with up2date full nodes
  • 11. Unifying the Global Response to Cybercrime Randomness issues The problem: • weakness in the random generation with the aid of Java Cryptography Architecture (JCA) for Android • use of the http://random.org site to get random numbers over unencrypted connection and without server error handling
  • 12. Unifying the Global Response to Cybercrime Passphrase wallets weakness
  • 13. Unifying the Global Response to Cybercrime Insider threats
  • 14. Unifying the Global Response to Cybercrime Cold wallet is not enough
  • 15. Unifying the Global Response to Cybercrime 51% issue
  • 16. Unifying the Global Response to Cybercrime Bitcoins can be just lost
  • 17. Unifying the Global Response to Cybercrime Lawenforcement can take your bitcoins
  • 18. Unifying the Global Response to Cybercrime Lawenforcement can take your bitcoins
  • 19. Unifying the Global Response to Cybercrime What to do?  Manage the project risk and recognize the IT security risk  Use the power of Blockchain: • MULTISIG • Key derivation • Rely on Blockchain (record the transaction) • Cold wallets • Backups • Use recent achievements in Blockchain technology and smart contracts  Use the application security standards: • Open Application Security Maturity Model (OpenSAMM) • Application Security Verification Standard (ASVS) • OWASP Proactive controls • OWASP TOP 10 for web and mobile  Manage the security (use ISO27001 and Cobit 5)
  • 20. Unifying the Global Response to Cybercrime Let’s get in touch!