CoinLoan and Security: How We Store Assets
Security has become a primary concern in the crypto world. In the first quarter of 2019, $356 million worth of cryptocurrency got stolen.
Hackers recently hijacked $40 million in bitcoins from Binance, one of the largest exchanges by cryptocurrency trading volume.
Given the circumstances, it is time to discuss the technology itself and understand the way assets are stored and managed. Remember when John McAfee’s ‘unhackable’ Bitfi wallet got hacked?
Another incident occurred in late March 2019 with CoinBene exchange. The platform that claimed user funds were 100 percent secure lost $100 million worth of cryptoassets.
Unfortunately, it is sometimes challenging to comprehend how security systems work. That leaves users to wonder whether crypto exchanges are worthy of trust.
CoinLoaners consistently ask us about security precautions we undertake to keep our users' assets safe, and they are right to do so. When you think about lending, a company's reliability is a prime concern.
CoinLoan’s Assets Security Framework
- We store customer's assets in BitGo, the most trusted custodian, with $250 million insurance cover from Lloyd's.
- CoinLoan performs operations with crypto assets according to rules outlined in Cryptocurrency Security Standard (CCSS). It's a security framework covering the security requirements for companies dealing with cryptocurrency.
- Crypto assets are stored in offline, cold, multi-signature wallets.
- Transaction signing only happens offline on separate devices that have never been connected to the network. The process itself involves several people.
- The multi-signature process needs several keys (N) with a required quorum of any (M) keys. For example, you need 3 out of 5 or 5 out of 8 keys to conduct a transaction. Thus, a single individual can't sign a transaction. At the same time, if you lose one of the multi-sig keys, you will never completely lose control of your assets.
- We store encrypted keys' parts in the bank's safe deposit boxes to prevent potential loss, such as natural disasters, floods, earthquakes, fires, etc.
Our Most Frequently Asked Question
Why not store each loan's collateral in a multi-sig wallet? It requires 2 out of 3 keys — one a borrower, one for a lender, and one from the platform.
We have to liquidate the collateral as fast as possible if a margin call occurs to prevent potential losses caused by market price fluctuations. This becomes impossible without custody and full control over collateral.
The Ten Security Layers of CoinLoan Platform
When it comes to safety, strong points matter but matter less than weaknesses. As soon as hackers learn to exploit vulnerabilities, the entire system is compromised. That's why we introduced the following ten security measures:
1. Secure Cloud Infrastructure
We use the best cloud service provider available on the market. It is certified by the world's strict security standards and is trusted by major banks and financial institutions.
2. Modern Encryption Standards (SSL with TLS 1.3, DNSSEC, HSTS)
Traffic between a client browser and server uses the most advanced encryption algorithm, approved for use in banking and credit card processing companies' ecosystems. DNSSEC protects the domain from DNS attacks. All the browser requests are encrypted (HSTS).
3. Web Application Firewall (WAF) and DDoS Protection
The top player in the web application security market analyzes server requests. Hacking attempts, bots, and DDoS attacks are filtered out meticulously to prevent a service breakdown. None of our servers have direct access from the internet.
4. Regular Vulnerability Scans
CoinLoan infrastructure is monitored daily with the number-one vulnerability scanner to discover weaknesses of any given sub-system. We regularly update the list of our scanner's tests.
5. Secure Software Development Life Cycle (SSDLC)
According to this methodology, all changes in the code and features are inspected by developers, tested by QA specialists, and analyzed by security experts.
6. Bug Bounty Program
We have a partnering program for white hat hackers and welcome ethical specialists to collaborate with us to analyze vulnerabilities and enhance the security of the entire infrastructure. We react immediately to any findings. If bugs or vulnerabilities are discovered, we issue an update ASAP. Up until today, we never faced issues that could have shaken our reputation.
7. PCI DSS Certification, SOC2, and ISO 27001
Currently, we are passing a security certification designed for banks and other financial institutions that process card payments. This procedure includes multiple independent security audits and penetration tests.
In the near future, we are planning to receive SOC2 and ISO 27001 security certifications.
8. Account Takeover Protection
Our system blocks any attempts to steal passwords and one-time two-factor authentication (2FA) codes. We always notify the user via an email of the login ongoing login process with details like the browser type and geolocation.
Our email system can detect attempted intrusions fast. Each session is linked to the browser and IP address, protecting an account from cookie theft and session hijacking.
9. Infrastructure Monitoring
Monitoring of CoinLoan infrastructure is on 24/7 in order to spot rapid abnormal activity and system errors.
10. Two-Factor Authentication
We use TOTP technology for 2FA to confirm each login attempt, funds withdrawal, password reset, and other crucial account actions. You can read more on how 2FA works on CoinLoan here.
Also, here is a bonus video for those who get to the end of this long read:
We welcome discussions on this topic, and we would love to hear your questions and thoughts!