The CoinLoan security system is built around ten main principles below. The full explanation on CoinLoan security you can find in our blog post.
If you want to know more about how we store cryptoassets, please follow the link.
1. Secure Cloud Infrastructure
We use the best-on-the-market cloud services provider that is certified by the world’s strict security standards and is trusted by major banks and financial institutions.
2. Modern Encryption Standards (SSL with TLS 1.3, DNSSEC, HSTS)
Traffic between a client browser and server uses the most advanced encryption algorithm that is approved for use within banks and credit card processing companies. The domain is protected from DNS man-in-the-middle attacks by DNSSEC. All the browser requests are encrypted (HSTS).
3. Web Application Firewall (WAF) and DDoS Protection
The top player in the web application security market analyzes server requests. Hacking attempts, bots, and DDoS attacks are filtered out meticulously to prevent a service breakdown. None of our servers have direct access to the Internet.
4. Regular Vulnerability Scans
The CoinLoan infrastructure is checked daily with the number-one vulnerability scanner to discover weaknesses of any given sub-system. The list of tests for our scanner is updated regularly.
5. Secure Software Development Life Cycle (SSDLC)
According to this methodology, every coding change made and a new feature implemented is inspected by developers, tested by QA specialists, and analyzed by security experts.
6. Bug Bounty Program
We have a partnering program for white hat hackers and welcome ethical specialists to collaborate with us in analyzing vulnerabilities and enhancing the security of services infrastructure. We react immediately to any reports, and in cases where bugs or vulnerabilities are discovered, we issue an update ASAP. It should be noted that no serious problems have been reported to date.
7. PCI DSS Certification
Currently, we are passing a security certification designed for banks and other financial institutions that process card payments. This procedure includes multiple independent security audits, penetration tests, and other phases of control.
8. Account Takeover Protection
Our system blocks attempts to brute force passwords and one-time two-factor authentication (2FA) codes. Beyond this block, at each log-in, we notify the user via an email with details regarding the browser and geolocation used at log-in.
Our email system helps detect attempted intrusions at a glance. Each session is linked to the browser and IP address, and it protects from cookies theft and session hijacking.
9. Infrastructure Monitoring
Monitoring of CoinLoan infrastructure continues around the clock for the rapid identification of abnormal activity and system errors.
10. Two-Factor Authentication
We use TOTP technology for 2FA to confirm each log-in attempt, funds withdrawal, password reset, and other crucial account actions. You can read more on how 2FA works here.