OTCBTC Case Study

How one of the largest cryptocurrency exchanges handles security with Sqreen

OTCBTC is the largest Over-The-Counter (OTC) cryptocurrency exchange in Asia. An OTC exchange allows buyers and sellers to trade directly with each other without passing through an intermediary. Think eBay for cryptocurrencies 🙌.

OTCBTC was founded by successful entrepreneur YiTing Cheng, also known as XDite. XDite is a developer by heart. She started coding over 10 years ago, is a winner of the 2012 Facebook Developer World Hack and is heavily involved in the Rails community. Before OTCBTC, XDite founded the largest Ruby on Rails training institute in China and was the CTO of the largest ICO fundraising platform in China before it got shut down by the Chinese government.

The company launched end of October 2017 and is already handling over $40 M in transaction volume per day for over 320,000 users. OTCBTC successfully raised $40 M in an ICO last winter that lasted just 63 seconds. The team of now 40 people is looking to hire a lot of engineers to sustain the 20%+ weekly growth it is facing.

OTCBTC is built using Ruby on Rails and relies heavily on AWS for its infrastructure. This allowed the company to quickly build and scale their platform to what it is today.

OTCBTC Website

Security risks for cryptocurrency exchanges, the threats are real!

Cryptocurrencies have been all the rage this last couple of years, and cryptocurrency exchanges are often one of the biggest targets for hackers. Examples of successful hacks are countless.

Running a crypto exchange is 100x harder than other software businesses” - XDite

Everything handled by crypto exchanges is valuable to hackers, from sensitive data to crypto assets.

This reality is confirmed by the data we are seeing across Sqreen customers. On average, companies involved with cryptocurrencies (exchanges or performing ICOs), see more than 30 times more attacks than other industries, in proportion to their overall traffic.

Cryptocurrency Exchanges Security Risks

Crypto exchanges face two major types of security risks: The first is attacks targeting the users directly. A simple account takeover might already be enough for a hacker to leak sensitive data or even steal crypto assets. Bruteforcing or enumerating accounts with databases of stolen passwords or phishing attacks are straightforward techniques that can be used to perform account takeovers.

The second, are attacks on the platform itself. They look for vulnerabilities in the application or misconfigurations in the infrastructure. These vulnerabilities like cross-site scripting, or injections can be very damaging, as they can leak sensitive data or harm the business.

Implementing security best practices and controls is therefore not an option. Unfortunately, crypto exchanges are just like other fast-growing startups: they often lack the resources to tackle all these security risks at the same time.

Implementing security by design for a fast-growing startup

The biggest challenge for a fast-growing startup is to be able to prioritize and execute on its security needs, especially when some of the risks remain unknown.

OTCBTC identified it “needed to educate users about security best practices and build product security features directly into the product.” For XDite and Vincent the CTO this translated into “strong 2FA mechanisms and email confirmations for every major user action”. They also educated users about phishing and other account takeover vectors.

“There’s a lot of malicious behavior we need to prevent, and there are so many unknown attacks we aren’t even aware of” - Vincent.

But OTCBTC wanted more to improve the security of their users and apps. They looked for a security solution that would monitor suspicious user behaviors to detect possible malicious activities and improve their application security. All of this without being hard to install and without requiring a lot of maintenance and deep security knowledge.

Using Sqreen’s application security monitoring and protection solution was the perfect solution; it allowed the OTCBTC team to stay focused on customer-facing product development and not be forced to spend too much time on security or to hire a security engineer.


  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • Go
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

 

// This should be the first line of your app

require('sqreen');

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" > config/sqreen.yml

$ curl -s https://download.sqreen.io/php/install.sh > sqreen-install.sh && bash sqreen-install.sh your token

$ pip install sqreen

$ echo -e "[sqreen]\ntoken: your token" > sqreen.ini

 

# Insert at the top of your app file (typically wsgi.py or app.py)

import sqreen

sqreen.start()

$ curl https://download.sqreen.io/java/sqreen-.jar -o sqreen.jar

 

// Add JVM startup options:

-javaagent:/path/to/sqreen.jar -Dsqreen.token={{your token}}

Request your beta access for the Go agent Request beta

Installing Sqreen in production took us only a few minutes. We liked that Sqreen was just a gem to add to our app” - Vincent.

Protecting users from account takeovers and scams

Security is all about adding extra layers to minimize risk. Implementing strong product security features is a great first step that the OTCBTC team implemented. Sqreen helps the OTCBTC team to add more advanced protection to its users.

The development team is using Sqreen to monitor suspicious login behaviors and prevent losses of cryptocurrencies for its users.

Sqreen will detect suspicious login locations, connections from Tor, accounts breached in a brute force or account enumeration attacks.

When a significant event occurs, the engineering team will be notified right away by Slack.

Slack Notification Brute Force Attack

Looking at the user detail, the team can easily identify suspicious user properties or behaviors.

Suspicious User Detail
This is fake data. Sqreen has no access to customers' data.

Did a user always logged in from the same country/IP and just connected from an unknown location? Was the account part of a large account enumeration of brute force attack with successful connections coming from the attacking IP? Did the user connect from an IP associated to a known attacker?

All these questions and more can be easily answered by OTCBTC to identify possible fraud and attacks targeting the users.

Sqreen allows us to always be on top of fraudulent activities.” - Vincent

“Security can be daunting and if not done correctly can slow down your engineering teams with noisy alerts. Sqreen in-app approach ensures we’re only notified when our attention is required and we can focus on the building a great product”

Identifying malicious users before it’s too late

Like for most services, the attack surface of OTCBTC is very low for non-authenticated users. But signups are open, and with a large number of daily active users, it quickly becomes impossible to monitor suspicious user behaviors. Relying only on logs is just not enough and it’s impossible to detect attackers or malicious users before it’s too late. That’s where Sqreen comes at play.

By using Sqreen, the OTCBTC team is notified every time a new suspicious user is detected. “We are only notified when something important happens in our app”. The risk score of a user can gradually increase based on actions performed. This could be because a user started scanning the app for known vulnerabilities, or because attacks are performed, etc. When this happens, an incident is created and a Slack notification is sent:

Slack Notification Targeted Attack

An incident details the suspicious activities performed by this user:

Targeted Attack Incident
This is fake data. Sqreen has no access to customers' data.

OTCBTC is automatically protected against security scanners and bots, and if an attacker manages to find a vulnerability, Sqreen will block the harmful attack and report back a stack trace to the team. The OTCBTC team just has to look at the incident report and decide whether it wants to ban the user from their platform completely.

“Using Sqreen, allows us to be protected against the most dangerous attacks that can target our platform. We know when we use vulnerable gems and are protected against scanners, bots, SQL injections or cross-site scripting”. The team sleeps better at night and can focus on building the best cryptocurrency exchange for their users.

Takeaways

Security risks in the cryptocurrency space are serious. Engineering teams have to take strong measures to implement security by design in their applications to protect their data and users.

By delegating part of the security needs to Sqreen, the cryptocurrency exchange OTCBTC is able to reduce the risk affecting their application and users, while keeping the focus on delivering the best OTC crypto exchange possible to its users.

“Acting as our security engineer as a service, Sqreen is providing a positive ROI right after the installation.” - XDite

---

To know more about Sqreen, visit our product page or request a demo for a live presentation to learn how Sqreen can help you protect your (cryptocurrency) platforms.

Protect your crypto exchange or ICO platform

Get continuous security monitoring and protection for your apps.

Get Started For Free
Protect your crypto apps Easily automate the security of your cryptocurrency apps. Get started in under 5 minutes. Check my app security