Do We Store Your Crypto Assets Securely?
Max Sapelov, CoinLoan Co-founder and CTO explains assets and platform security
In today’s always-‘on,’ always-connected reality, security has become a primary concern in the crypto world. Just in the first quarter of 2019, $356 million in cryptocurrency was stolen.
Further, hackers recently stole a sum of $40 million in bitcoins from Binance, one of the largest reported trading volume cryptocurrency exchanges worldwide. Sadly, in practice, supposedly secure blockchain technology often proves to be the opposite.
Metaphorically speaking, an ‘unpickable’ front door lock doesn’t mean your house is fully protected, especially when you’ve left your windows wide open. It’s one facet to speak about the technology itself and another to understand how assets are stored and managed. For instance, crypto-exchanges are desirable targets for hackers because these platforms keep hot wallet private keys on network-connected machines to allow for instant withdrawals.
Currently, marketing slogans and headlines about security are popular. However, thefts proving these claims false are just as common. Remember when John McAfee’s ‘unhackable’ Bitfi wallet got hacked?
Another recent noteworthy incident occurred in late-March 2019. CoinBene exchange, who claimed user funds were 100 percent secure, lost $100 million worth of cryptoassets.
Unfortunately, the inner workings of security systems aren’t visible, making it impossible to confirm or deny a company’s security claims. This leaves us in a position where we just have to take these companies at face value until a theft happens.
CoinLoaners consistently ask us about security issues, and they are right to do so. When you think about where to lend, you want to make sure the people behind the company are good custodians of your assets. To show you that we fit that standard, today, we’re giving the floor to Max Sapelov, Co-founder and CTO here at CoinLoan.
Unique security features and unique vulnerabilities go hand in hand, which is why it does not make sense to start off talking about CoinLoan’s ‘unbreakable’ protection. Instead, it is critical to explain how CoinLoan ensures the integral safety of our users and their assets. By explaining these systems, you are then able to draw your own conclusions about our security-first mindset.
- Today, we will talk about assets security on CoinLoan;
- And discuss our ten-level approach on platform security.
CoinLoan’s Assets Security Framework
Any technology has its weak points and attack vectors. In terms of cryptoassets, the security of our private keys is paramount to securing cryptocurrency funds.
Generally, hot wallets are crypto-exchanges main vulnerabilities; however, this is not the case with CoinLoan. As a security expert, I have created this simple rule:
“If the system can process crypto-withdrawals automatically, then it’s vulnerable to hacks — without exception.”
Due to this principle, we are not storing any private keys on network-connected devices, and that is why we are processing all the withdrawals manually. However, manual processing means that small processing delays may occur. Even though manual processing means that small processing delays may occur, your security is our top priority.
Alternatively, we are processing deposit operations automatically because this can be done with public keys (addresses) only on our servers. Further, I can confirm that we have one of the fastest crypto-deposit processing systems on the market.
CoinLoan’s Assets Security Principles:
- Now we store customer’s assets at qualified and the most trusted custodian BitGo with the insurance for $100 million from Lloyd’s.
- CoinLoan performs all operations with crypto assets in accordance with Cryptocurrency Security Standard (CCSS). It’s a security framework which covers series of strict security requirements of a system that operates with cryptocurrencies.
- All cryptoassets are stored in offline, cold, multi-signature wallets.
- Transaction signing only happens offline on separate devices that have never been connected to the network, and this process involves several people.
- The multi-signature process involves several keys (N) with a required quorum of any (M) keys. For example, you need 3 out of 5 keys or 5 out of 8 keys to conduct a transaction. Thus, it’s not possible to sign the transaction using a single individual. Also, this system ensures that, if you lose one of the multi-sig keys, you will never lose control over your assets completely.
- We store encrypted parts of the keys in a geographically-distributed manner in the banks’ safe deposit boxes to prevent potential loss of the keys due to natural disasters, including floods, earthquakes, fires, etc.
Our Most Frequently-Asked Question
Why not store each loan’s collateral in a multi-sig wallet that requires 2 out of 3 keys — with the first from a borrower, the second from a lender, and the third from the platform?
The answer is pretty simple. We have to liquidate the collateral as fast as possible in case of a margin call to prevent potential losses caused by market price fluctuations. Obviously, this is not possible if we do not have custody and lack full control of collateral.
The Ten Security Layers of CoinLoan’s Platform
In safety, what matters is not the presence of strengths, but the absence of weaknesses. As soon as a single weak point can be exploited by malicious hackers, the entire system becomes susceptible, which is why I am not going to waste time creating a slogan to try to summarize our complex security system. Instead, I’m going to lift the veil of secrecy surrounding our ten security measures:
1. Secure Cloud Infrastructure
We use the best-on-the-market cloud services provider that is certified by the world’s strict security standards and is trusted by major banks and financial institutions.
2. Modern Encryption Standards (SSL with TLS 1.3, DNSSEC, HSTS)
Traffic between a client browser and server uses the most advanced encryption algorithm that is approved for use within banks and credit card processing companies. The domain is protected from DNS man-in-the-middle attacks by DNSSEC. All the browser requests are encrypted (HSTS).
3. Web Application Firewall (WAF) and DDoS Protection
The top player in the web application security market analyzes server requests. Hacking attempts, bots, and DDoS attacks are filtered out meticulously to prevent a service breakdown. None of our servers have direct access to the Internet.
4. Regular Vulnerability Scans
The CoinLoan infrastructure is checked daily with the number-one vulnerability scanner to discover weaknesses of any given sub-system. The list of tests for our scanner is updated regularly.
5. Secure Software Development Life Cycle (SSDLC)
According to this methodology, every coding change made and new feature implemented is inspected by developers, tested by QA specialists, and analyzed by security experts.
6. Bug Bounty Program
We have a partnering program for white hat hackers and welcome ethical specialists to collaborate with us in analyzing vulnerabilities and enhancing the security of services infrastructure. We react immediately to any reports, and in cases where bugs or vulnerabilities are discovered, we issue an update ASAP. It should be noted that no serious problems have been reported to date.
7. PCI DSS Certification
Currently, we are passing a security certification designed for banks and other financial institutions that process card payments. This procedure includes multiple independent security audits, penetration tests, and other phases of control.
8. Account Takeover Protection
Our system blocks attempts to brute force passwords and one-time two-factor authentication (2FA) codes. Beyond this block, at each log-in, we notify the user via an email with details regarding the browser and geolocation used at log-in.
Our email system helps detect attempted intrusions at a glance. Each session is linked to the browser and IP address, and it protects from cookies theft and session hijacking.
9. Infrastructure Monitoring
Monitoring of CoinLoan infrastructure continues around the clock for the rapid identification of abnormal activity and system errors.
10. Two-Factor Authentication
We use TOTP technology for 2FA to confirm each log-in attempt, funds withdrawal, password reset, and other crucial account actions. You can read more on how 2FA works on CoinLoan here.
Also, here is a bonus video for those who get to the end of this long read: