John Furrier sits down with Anand Prakash of AppSecure at HoshoCon 2018, the first ever blockchain security conference.
#HoshoCon #theCUBE
siliconangle.com/2018/10/22/a...
APIs are leaving crypto door ajar to burglars, says white-hat hacker
White-hat bounty hunters put enterprises’ cybersecurity systems to the test for pay. Their clients figure it’s preferable to pay a skilled hacker a reasonable fee to point out vulnerabilities than wait for a black hat to rob them blind.
These pros are now putting cryptocurrency exchanges and initial coin offerings to the test - and their grades are nothing to boast about, according to Anand Prakash (pictured), founder of AppSecure India Pvt Ltd.
Prakash spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the recent HoshoCon event in Las Vegas. They discussed the need for greater security in the expanding crypto market.
Cryptosecurity needs kick in the pants
Prakash has a reputation as one of the most talented white-hat bounty hunters around. He has hacked Facebook, Twitter, Uber and other services. With cryptocurrency hack becoming the modern-day bank robbery, it was clear to Prakash that crypto businesses needed to take a hard look at their security checks. So he began hacking ICOs and crypto exchanges - and all were surprised at how easy it was.
“They thought putting up a two-factor authentication or something like that makes their account secure,” he said. This is not the case at all. Prakash was easily able to hack through their application program interfaces. In fact, APIs and URLs are two access points now quite popular with hackers - and many companies are not properly securing them, according to Prakash.
“We don’t need a big, high-end machine to hack into services,” Prakash said.
Most of the cryptocurrency exchanges he has hacked lacked basic security checks. “They have a password screen on the [user interface], but I can simply hit the API, and with no authentication or authorization, I can just log in to anyone’s account. And then I can get funds out of their system.” Also with tokens, he also has obtained personally identifiable information of users.
Prakash recommends crypto businesses get busy cleaning house and securing their API entry points and other vulnerabilities.
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of HoshoCon 2018: