IEEE Std 2140.2:2021 pdf free download – IEEE Standard for Security Managementfor Customer Cryptographic Assets on Cryptocurrency Exchanges
3.1 General
The goal of user authentication management is to establish a more comprehensive information managementand profile analysis capability for users from the collection of multi-dimensional user information on thepremise of protecting user data privacy, and to improve the exchange ‘s ability to identify possible risks incustomer accounts. On the other hand,cryptocurrency exchanges use multiple tools to confirm the identityof platform users,promptly identify suspicious users and high-risk behaviors on the platform, and takeblocking actions.User authentication mainly covers three scenarios: registration authentication, real-nameauthentication, and security authentication.
3.2 Registration authentication
Users generate account information on the exchange based on the SMS verification code of the mobile phonenumber or the verification code of the registered mailbox, etc., and through human-machine verification, itaddresses problems such as machine risks, garbage registration, and bonus hunter.
3.3 Real-name authentication
After completing registration and generating account information, users shall submit relevant information thatproves their identity such as ID cards, passports, or bils, and may pass more advanced biometric technologyverification such as face recognition.
3.4 Security authentication
Cryptocurrency exchanges shall guide and remind customers to complete diversified password settingstrategies to improve account security levels,including but not limited to account passwords, fund tradingpasswords,Google identity one-time password，gesture passwords，and fingerprint passwords. Whenmonitoring abnormal behaviors such as login and password modification in different IP areas of the sameaccount, exchanges shall notify the customer in a timely manner via SMS or other means to confirm the realname and security authentication.
Conclusively，cryptocurrency exchanges shall establish user data form management mechanism anddynamically update based on the collected customer authentication information.Cryptocurrency exchangesmay also identify abnormal account behaviors by marking different user accounts.
4. Infrastructure security regulations
4.1 General
Infrastructure services are software- and hardware-integrated solution capabilities that support the overallbusiness operations of cryptocurrency exchanges and are the core support of cryptocurrency exchanges.Historically, exchange infrastructure service systems have caused the loss of customer cryptographic assetson the exchange due to factors such as hacking or manual operation errors. The core infrastructure of theexchange includes servers(e.g..computer rooms),communication networks, encrypted asset custodial wallets,Web and App applications. Therefore, the security business specifications shall be formulated for the abovethree infrastructures, and the security regulations shall be strictly implemented to establish security problemidentification.Security specifications mainly cover four aspects: security management of the physical areawhere the infrastructure is located, security inspection and protection of the infrastructure itself, personnelsecurity education, and security response specifications.
5.2.1 Memory matching
Memory matching requires that, during the matching process, all the data information involved in the tradingsystem is stored in the memory of the matching engine. During the transaction process that reduces access tothe database, aggregation results and intermediate data are also completely stored in memory and can reducethe input and output process of the system. Memory-based aggregation can greatly improve the speed ofaggregation.To address the fatal flaw of data loss, event sourcing can be used.Event sourcing is a method ofwriting business logic and persistent data centered on events.
5.2.2 Communication mode—”Publish/subscribe”mode
In the”request/response”mode, the client and the server are strongly coupled, both need to be available atthe same time, and the client can only wait until the server finishes processing the request, which reduces theprocessing speed of the client; while in the “publish/subscribe” when the subscriber ‘s service is interrupted,the message will be persisted in the message queue and continues to be processed when the serviceresumes, without the need for the publisher to resend the message, thus improving the reliability of systemcommunication.