Saturday, 23 February 2019

Can Crypto Bots Be Hacked on Exchanges?

The cryptocurrency industry lures millions of customers and thousands of frauds.
The unregulated Wild West of the modern financial sphere features insane volatility, round-the-clock trading, and anonymous transactions hidden from governments and regulators. Hackers are ever ready to steal millions of dollars in crypto by using both classic and innovative tools to fool novice token holders. From traditional phishing to clipboard hijacking, hackers apply various schemes to replace wallets’ addresses.


One of the modern approaches is related to manipulations with crypto bots and APIs. Fraudsters can compromise automated trading software on exchanges and place any orders, or get access to users’ sensitive data. If you consider using bots, make sure to read more about their features, vulnerabilities, and safety measures.

A primer on crypto bots

Crypto trading bots are programs, which analyze markets and place orders automatically. Considering high volatility and constant changes of the crypto world, bots are convenient as they can monitor the market 24/7/365. Also, they are fast and can place buy/sell orders regularly to get more profits.

Sounds wonderful, doesn’t it? However, trading bots aren’t flawless. They are relatively complex systems, which strictly follow the user-defined preferences, so they require careful tuning. Additionally, advanced programs may come with monthly fees. It means that you can easily lose money if you don’t know how to use bots properly.

Before ordering or creating a bot, it’s better to remember the general features of premium software:

● Reliability

● Transparency

● Profitability

● Ease of use

● Security

Probably, the last point is the most important as it closely relates to the safety of your money. Any bot is certainly a gold mine for hackers or phishers, so pay close attention to the protection of trading software, or a platform that you use. Before engaging in any sort of activity, check the security measures for every exchange pointed out on TheProblem.wtf.

Weaknesses of automated trading

Crypto bots execute orders by interacting with exchanges APIs — application programming interfaces. As a result, we face the scenario of two machines working together without manual control.

The problem is in the centralized nature of trading bots and platforms. As hackers can’t access blockchain-based systems because of their nearly perfect security, they focus on traditional central-server systems, which rely on personal data like passwords, e-wallet addresses or keys. And it becomes even easier to hack machines, which work independently.

Thus, bots and APIs have three major flaws that might result in:

● Making unprofitable deals. If hackers get access to the first layer of trading interface, they can only place orders. Certainly, they will make deals which are profitable for them, but not for you.

● Stealing money. The second layer gives options to withdraw money. Obviously, hackers will do it after placing some orders and getting enough profit.

● Getting access to sensitive data. Along with making buy/sell deals, fraudsters can access personal info like keys to crypto wallets that are linked with the bot.

Hackers and their tools

Hackers can break into the system and modify codes to set new algorithms for bots. Sometimes, the owners can even miss these changes and continue using their trading software. Without diving into technical details, there are some other ways to hack bots, trading programs or APIs.

Further on, you can check the examples of crypto bots based on different technical frameworks.

APIs

As we’ve mentioned before, bots interact with exchanges’ APIs — specific interfaces, which allow placing orders automatically. Usually, these systems are based on a few permission levels protected with unique keys. Utilizing phishing schemes, hackers can access these keys and break into the system.

One of the brightest examples of fraudulent API usage is the Binance case. This exchange has three permissions in its API: reading, trading, and withdrawing. In July 2018, hackers got access to the first two levels, pumped the price of SYS coin, and transferred huge amounts to the accounts with withdrawing permissions that they had controlled earlier. As a result, Binance prompted temporary shutdown, reset all API keys, and tested the whole security system.

What’s the problem? Binance is a highly secure platform but it’s also centralized. Professional hackers can steal keys and get control over trading bots or APIs easily.

Apps

This example is simple and, partially, refers to the previous one. You know trading applications for desktops or mobiles, which allow placing orders in a smooth and convenient way. These programs aren’t bots as they require manual control, but they also are based on APIs, which have some weaknesses.

For instance, remember the fake Poloniex apps created by fraudsters for Android systems. They were freely available in Google Play, so users simply provided their personal info and account credentials to hackers. Fake exchange applications are a kind of phishing scams that are utilized by criminals to access user wallets or accounts, so be careful and use 2FA always.

Extensions

Some trading bots may come as add-ons for browsers. They look highly convenient as you can trade faster and always control the process. However, we suggest avoiding such extension options by all means, because they are fraudulent usually. Browser plugins and add-ons may compromise your hardware or simply copy everything you type in including keys and passwords.

Slack bots

Various Slack programs and channels are used by crypto scammers for fraudulent activity. In 2017, it was reported that a number of blockchain development teams were attacked by cyber criminals via a Slackbot. Hackers utilize phishing schemes by alerting users about a potentially profitable deal and providing a link to a scam website, which will ask you to enter sensitive data or log in to your wallet.

Protecting yourself from hacks

Summarizing it, we want to provide some info on safety measures which you should take while interacting with any crypto trading program, application, or interface. Here are the most valuable tips:

● Keep API keys secret. Don’t share your personal data like keys for bots, private addresses of crypto wallets, and passwords.

● Turn off automated withdrawals. Better, spend some time and do it manually. In this case, hackers will potentially be able to make unprofitable deals but they will not steal your money.

● Do a lot of research. Bots are pretty complicated tools, so take your time and read about trading strategies, preferences, and protection measures.

Generally, rely on trusted software only, and don’t forget about ‘Internet hygiene’. Bots may be useful and profitable, but they are machines and they may be hacked like any other computing devices.

By Julia Beyers
source: hackernoon.com 
Legal disclaimer: The insight, recommendations and analysis presented here are based on corporate filings, current events, interviews, corporate press releases, and what we've learned as financial journalists. They are presented for the purposes of general information only, and all the information belongs to the original publishers. These may contain errors and we make no promises as to the accuracy or usefulness of the information we present. You should not make any investment decision based solely on what you read here.

Creamcoin Marketcap