21st-century

• An on screen key-board should be available to enter passwords should the user wish to avoid potential key-loggers on their machine. The location of the keys should be randomly generated to make recording mouse movement impossible leaving the only option of recording the screen.

If you suspect that your machine has a keylogger, you shouldn't be using it in the first place.

• An expiration for cookies should be user specifiable.
• Accounts should automatically log out after x minutes.

What's the difference? If you're logged out, your session/cookie is no longer valid.

• Complexity of passwords should be such that brute forcing the login form or the hash is computationally impossible.

While you could enforce minimum password length, enforcing complexity results in Sticky-Note Security: Users won't remember the passwords & instead write them down & paste them on their monitors or write them in their phones.

• Security alerts emailed to users after x amount of invalid attempts.

Why annoy the user with failed attempts? The attacker can be block listed for 15 minutes (based on IP/Browser/Cookie).

• User definable limits on withdrawal.

What difference does it make? If an attacker gained access to the account, s/he could change that limit.

• Only services on the exchange that need to be accessible should be.
• Vigorous logging of activity should occur.
• The exchange should audit the clients for the potential of them being exploited by a side-channel attack.

Elaborate please.

• Exchange internal and external network should be audited and secure.

By whom?